Iptables – TCP traffic on port 1433 blocked by NAT rules

amazon-web-servicesiptablesnat;sql server

We have a SQL server that is hosted on AWS, the SQL server it not directly accessible on the internet, it relies on a NAT box to route traffic to it.

We are trying to set up a Linked SQL server from this server to another one outside of AWS, this requires the two SQL servers to talk to each other on port 1433 TCP.

The relevant sections from the iptable look like this:

target prot source destination

DNAT udp anywhere anywhere udp dpt:ms-sql-m to:172.10.10.10:1434

DNAT tcp anywhere anywhere tcp dpt:ms-sql-s to:172.10.10.10:1433

From our own testing we know that we can link any server to the one on AWS but not the other way around.

Does anything look wrong? The problem started occurring when our intfra engineer 'removed and added them same rules' Are there any clues in that? Is order relavent?

Using tracetcp we found the following:

Doing this command on the aws sql server 'tracetcp.exe 183.23.53.22 1433' where the ip is that of the other externally hosted server, it would get to the destination in 1 hop, but it would also do the same reguardless of any random ip address we tried.

enter image description here

Where as if we did the same command but on another other port other than 1433, it would hit the NAT box first and then do many hops

enter image description here

Best Answer

Check your iptables rules with iptables-save and re-post them. Verify that your DNAT rules have some method of excluding traffic originating from inside the network, for example -i <extif>, ! -i <intif>, or ! -s 172.10.10.10. I strongly suspect it is resending your packets back to the internal origin server.

Related Solutions

Linux – iptables port forward forwarding

You're sending the traffic to 10.52.208.221. Given the config you posted, your problem is the webserver, not the firewall. Your rules look to be correct. FORWARD and INPUT are redirected to RH-Firewall-1-INPUT where your first rule is to allow all traffic. As somebody else pointed out, you could be allowing all traffic on eth1, while the world is actually coming in eth0. Secondary, you have to NAT the traffic as it goes back out to the world

iptables --table nat --append POSTROUTING --proto tcp --dport 80 --jump MASQUERADE -o OUT_INTERFACE

Your traffic originating from the router will never hit the input or forward chains, but instead traverse the output chain on to the webserver. Other systems in that subnet will similarly go directly to the webserver. Systems out on the world at large however will traverse the INPUT / FORWARD chains and need SNAT as well as DNAT so that it appears to the world to be one machine. You still cannot test from within your network. you must test from the opposite interface from the webserver. Get me your IP addresses and I'll point you to the proper configs.

Linux – Unable to make outbound SNMP connections when IPTables is enabled

You must put

ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

before RH-Firewall-1-INPUT because of on RH-Firewall-1-INPUT rules there is REJECT on the end of line, the iptables read from top to down.

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 2 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

If you want to add using command line, you can use:

 iptables -I OUTPUT 1 -p udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I INPUT 1 -p udp -s 0/0 --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

It should be like:

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED
 2 RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Best Answer

Related Solutions

Linux – iptables port forward forwarding

Linux – Unable to make outbound SNMP connections when IPTables is enabled

Related Topic