On May 2, 2004 07:54 pm, Frank Reichenbacher wrote: > > -----Original Message----- > > From: redhat-list-bounces@xxxxxxxxxx > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Pete Nesbitt > > Sent: Tuesday, April 27, 2004 8:37 PM > > To: frank@xxxxxxxxxxx; General Red Hat Linux discussion list > > Subject: Re: [redhat] Re: Remote Desktop/Firewall > > > > On April 27, 2004 07:46 pm, Frank Reichenbacher wrote: > > > > -----Original Message----- > > > > From: redhat-list-bounces@xxxxxxxxxx > > > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Pete Nesbitt > > > > Sent: Tuesday, April 27, 2004 6:35 PM > > > > To: frank@xxxxxxxxxxx; General Red Hat Linux discussion list > > > > Subject: [redhat] Re: Remote Desktop/Firewall > > > > > > > > On April 27, 2004 06:06 pm, Frank Reichenbacher wrote: > > > > > I have pmfirewall (www.pointman.org) running on my RH 7.0 > > > > > > > > server/LAN > > > > > > > > > Router on a home office setup. It is a simple but effective > > > > > > > > ipchains > > > > > > > > > firewall script. > > > > > > > > > > I need to use my WinXP desktop on the inside of the home > > > > > > > > firewall to > > > > > > > > > communicate with my office WinXP, which is inside a > > > > > > > > firewalled router > > > > > > > > > on a Win2K LAN. The home side outernet IP is 66.93.153.62, > > > > > > > > innernet IP > > > > > > > > > 192.168.1.2. The office side outernet IP is 64.232.168.34, the > > > > > innernet IP is 192.168.1.103. > > > > > > > > > > I didn't see in the script a place that closes off the RDP > > > > > > > > port 3389 > > > > > > > > > specifically, so I added the following two rules at the > > > > end of the > > > > > > > script. > > > > > > > > > > $IPCHAINS -A input -p tcp -s 64.232.168.34 > > > > --source-port 3389 -d > > > > > > > 192.168.1.2 --destination-port 3389 -j ACCEPT > > > > > > > > > > I've also tried combinations of ports 0:65535, 3389 and > > > > there is > > > > > > > no difference. The logs show that the firewall is > > > > denying a return > > > > > > > of bits from the 64.232.168.34 IP on port 65535. I am > > > > contacting > > > > > > > the remote network, but it is blocked on my end from > > > > returning any > > > > > > > packets. > > > > > > > > > > When I run ipchains from the prompt, I see that port 3389 > > > > > > > > is open to > > > > > > > > > 64.232.168.34, I don't seem to see anything that > > > > appears to deny > > > > > > > it afterwards. > > > > > > > > > > Frank > > > > > > > > Frank, > > > > Do you have input, forward and output chains for that port? (as I > > > > recall, ipchains needs all 3 to make the path thru the firewall) > > > > > > > > Your routers/gateways must be doing NAT on the outside > > > > (presuming an > > > > > > internet connection), so it is not a destination of > > > > 192.168.1.2 that > > > > > > the input chain > > > > needs to allow, it is destination 66.93.153.62 > > > > > > I'll check on the other stuff. If I allow 66.93.153.62, how > > > > do I then > > > > > get packets to 192.168.1.2? > > > > > > Frank > > > > It's been a while since I used IPchains, but I beleive you > > want something > > like: > > > > $IPCHAINS -A input -p tcp -s 64.232.168.34 -sport 3389 -d > > 66.93.153.62 -dport > > 3389 -j REDIRECT 192.168.1.2 > > $IPCHAINS -A forward -p tcp -d 192.168.1.2 -dport 3389 -j > > ACCEPT $IPCHAINS -A output -p tcp -d 192.168.1.2 -dport 3389 -j ACCEPT > > Here's what didn't generate error messages when I restarted the > firewall: > > $IPCHAINS -A input -p tcp -s 64.232.168.34 3389 -d 66.93.153.62 3389 -j > REDIR 192.168.1.2 3389 > $IPCHAINS -A forward -p tcp -d 192.168.1.2 3389 -j ACCEPT > $IPCHAINS -A output -p tcp -d 192.168.1.2 3389 -j ACCEPT > > (RH barks at REDIRECT) > > And then this is what shows up in /var/log/messages: > May 2 19:35:25 mollynet kernel: Packet log: input DENY eth0 PROTO=47 > 64.232.168.34:65535 66.93.153.62:65535 L=65 S=0x00 I=52375 F=0x0000 T=54 > (#42) > > It's always port 65535. It occurs to me that the Microsoft RDP is not > only using port 3389. I think my connection request is received by the > remote machine and then answered, but the firewall isn't allowing the > return packets to be received on the local machine. I've tried a dozen > configurations of port openings, but I admit that I have no idea of what > would be correct, and, of course, none of them work. <snip> > Frank > Frank, Aside from this RDP service, can you confirm the firewall is correctly passing packets? Is the routing table correct to pass things back and forth? Are IP Masquerading & ICMP Masquerading both enabled in the kernel? Can you confirm the port exchanges for RDP (protocols and what the server uses as a source/destination when it responds? IPForwarding should also be enabled. To enable it add the following to /etc/rc.local or execute at command: echo "1" > /proc/sys/net/ipv4/ip_forward (if working 'cat /proc/sys/net/ipv4/ip_forward' will return "1") I remember ipchains had a rule testing command, there are also a number of options you may look at for ststus "ipchains -L forward" for example. What other error messages in the logs? One option, if windows has something like tcpdump, or else set the linux box as a router, not a firewall, and monitor a successful connection to see what ports are used. -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
