> I attached output of iptables, y.y.y. is my WAN IP range and x.x.x. is a
> range
> outside. Problematic REJECT rule can be found in FORWARD chain.
upon further review--i think you'd be best to only match that rule on SYN packets, in addition to specifying the inbound interface. something along the lines of:
-A FORWARD -i $INTERNAL_IF -p tcp --syn -d $SQL_SERVER --dport 445 -j REJECT --reject-with tcp-reset
since the rule you're using according to:
Chain FORWARD (policy DROP 1 packets, 58 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 sql.se.rv.er tcp dpt:445 reject-with tcp-reset
is not narrowing down the interface/source, and is hit before any connection tracking occurs. i've never used "-j REJECT --reject-with tcp-reset" without also specifying "--syn" as it could have very odd results (and also doesn't make sense from a TCP perspective)...
you should be able to test this from a client on the internal network by just typing "telnet <sql.srv.ip.addr> 445" and making sure you get back "Connection refused" instead of a timeout.
-j
