Oracle 9i server behind a firewall with NAT

tomclegg.net

Diary
Examples
    256-router
    adzap
    debian-quota
    diskonmodule
    dynip
    ezmlm-linux
    fbsdhabits
    freebsdclone
    maildirpop3d-awfulhak
    mandy
    md
    mrtg
    net-snmp
    oracle9i
    oracle9i-bsd5
    oracle9i-client
  >oracle9i-nat<
    php-cgi
    php-commandline
    php-image
    php-kics
    php-mini_httpd
    pinouts
    plesk-symlink-php
    pxe
    qmail-linux
    qmail-qfilter
    racoon-sonicwall
    redundant-vpn
    rewriterule
    smalldog
    spamassassin
    squid-tproxy
    supfile
    suse73
    svc-nmbd
    svc-smbd
    svc-smtpd
    toyotastereo
    vm
    vn-file
    wmp-invalid
    xcode-remote-install
    xen-eth0-renamed
    xen3-ubuntu-dapper
Hire Tom
Mostly Mozart
Patches
School
Scrapbook
Software
Telephones

colocation
comments
davidireland
edsgranola
faq
funsites
goodlooking
goodmovies
houserules
liberating
nodefaultroute
resume
resume2
scratch
shopping
snacks
todo
university
warisbogus

Oracle 9i server behind a firewall with NAT
Posted August 21, 2003

You want to put your Oracle 9i server ("planb" at 10.10.2.9) behind a NAT router, and access it from outside the router (any client in 128.100.31.0/24).

+--------+ public +--------------+ private +----------------+
| client |--------| firewall+nat |---------| oracle (planb) |
+--------+        +--------------+         +----------------+

I assume your router already has:

FreeBSD 4
options IPDIVERT and options IPFIREWALL in your kernel
daemontools installed and svscan running
Service directories in /var/service
Symlinks to service directories in /service

To run natd under daemontools on the router, create /var/service/natd/run:

#!/bin/sh
killall -9 natd 2>/dev/null
exec fghack natd -f ./natd.conf

Create /var/service/natd/natd.conf (change xl0 to your outside network interface, and change 10.10.2.9 to your Oracle server's private IP address):

interface xl0
dynamic
unregistered_only
redirect_port tcp 10.10.2.9:1521 1521

Enable the service.

fw# chmod +x /var/service/natd/run
fw# ln -s /var/service/natd /service/

Create (or add to) /etc/firewall to allow connections from clients to 10.10.2.9:1521. Change 128.100.31.0/24 to your clients' IP block.

-f flush
add allow ip from any to any via lo0
add divert natd ip from any to any via xl0
add deny ip from 10.0.0.0/8 to any in recv xl0
add allow tcp from any to any established
add allow tcp from 128.100.31.0/24 to 10.10.2.9 1521 setup
add unreach port tcp from any to any
add unreach port udp from any to any
add deny ip from any to any

Add to /etc/rc.conf:

firewall_type=/etc/firewall

Apply the new firewall rules:

fw# nohup ipfw /etc/firewall