Re: [redhat] Re: Remote Desktop/Firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On April 27, 2004 07:46 pm, Frank Reichenbacher wrote:
> > -----Original Message-----
> > From: redhat-list-bounces@xxxxxxxxxx
> > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Pete Nesbitt
> > Sent: Tuesday, April 27, 2004 6:35 PM
> > To: frank@xxxxxxxxxxx; General Red Hat Linux discussion list
> > Subject: [redhat] Re: Remote Desktop/Firewall
> >
> > On April 27, 2004 06:06 pm, Frank Reichenbacher wrote:
> > > I have pmfirewall (www.pointman.org) running on my RH 7.0
> >
> > server/LAN
> >
> > > Router on a home office setup. It is a simple but effective
> >
> > ipchains
> >
> > > firewall script.
> > >
> > > I need to use my WinXP desktop on the inside of the home
> >
> > firewall to
> >
> > > communicate with my office WinXP, which is inside a
> >
> > firewalled router
> >
> > > on a Win2K LAN. The home side outernet IP is 66.93.153.62,
> >
> > innernet IP
> >
> > > 192.168.1.2. The office side outernet IP is 64.232.168.34, the
> > > innernet IP is 192.168.1.103.
> > >
> > > I didn't see in the script a place that closes off the RDP
> >
> > port 3389
> >
> > > specifically, so I added the following two rules at the end of the
> > > script.
> > >
> > > $IPCHAINS -A input -p tcp -s 64.232.168.34 --source-port 3389 -d
> > > 192.168.1.2 --destination-port 3389 -j ACCEPT
> > >
> > > I've also tried combinations of ports 0:65535, 3389 and there is no
> > > difference. The logs show that the firewall is denying a return of
> > > bits from the 64.232.168.34 IP on port 65535. I am contacting the
> > > remote network, but it is blocked on my end from returning any
> > > packets.
> > >
> > > When I run ipchains from the prompt, I see that port 3389
> >
> > is open to
> >
> > > 64.232.168.34, I don't seem to see anything that appears to deny it
> > > afterwards.
> > >
> > > Frank
> >
> > Frank,
> > Do you have input, forward and output chains for that port?
> > (as I recall,
> > ipchains needs all 3 to make the path thru the firewall)
> >
> > Your routers/gateways must be doing NAT on the outside
> > (presuming an internet
> > connection), so it is not a destination of 192.168.1.2 that
> > the input chain
> > needs to allow, it is destination 66.93.153.62
>
> I'll check on the other stuff. If I allow 66.93.153.62, how do I then
> get packets to 192.168.1.2?
>
> Frank


It's been a while since I used IPchains, but I beleive you want something 
like:

$IPCHAINS -A input -p tcp -s 64.232.168.34 -sport 3389 -d 66.93.153.62 -dport 
3389  -j REDIRECT  192.168.1.2
$IPCHAINS -A forward -p tcp -d 192.168.1.2 -dport 3389 -j ACCEPT
$IPCHAINS -A output -p tcp -d 192.168.1.2 -dport 3389 -j ACCEPT

You should have a look at:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/IPCHAINS-HOWTO.html
-- 
Pete Nesbitt, rhce


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux