<citaat van="Mikhail"> > Hello, > > I have a small network of Windows boxes behind Linux firewall/router. I > run > Debian Sarge 3.1 without X there. I have a server on the LAN that serves > clients from the Internet over RMI connection on the certain port. RMI is > basically connection-oriented TCP/IP protocol. I do DNAT for such requests > to that local server. All is working fine so far. > > Problem: those clients from the Internet need direct access to the MS SQL > server over TCP/IP on the different port. I want to open and DNAT MS SQL > port dynamically - if client already has ESTABLISHED connection over RMI > port I want allow access to MS SQL port, otherwise I'd like to drop the > request. If the client got disconnected over RMI then it is OK to reject > direct requests from him to MS SQL thereafter. How can this be > accomplished > with iptables? Should be possible using reject. Something along these lines. -A FORWARD -m state RELATED,ESTABLISHED -j ACCEPT # Maybe you restrict this more, for now accept RMI from everywhere -A FORWARD -p tcp -dport $rmiport -j RMI -A FORWARD -p tcp -dport $mssql -j MSSQL ... other rules ... -A RMI -p tcp --tcp-flags FIN FIN -j RMIFIN -A RMI -m recent --name rmi --set -A RMI -j ACCEPT -A RMIFIN -m recent --name rmi --remove -A RMIFIN -j ACCEPT -A MSSQL -m recent --name rmi -rcheck -j ACCEPT -A MSSQL -j LOG --prefix "mssql without rmi " -A MSSQL -j DROP HTH, M4
