On May 3, 2004 06:37 pm, Frank Reichenbacher wrote: > > -----Original Message----- > > From: redhat-list-bounces@xxxxxxxxxx > > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Pete Nesbitt > > Sent: Monday, May 03, 2004 8:11 AM > > To: frank@xxxxxxxxxxx; General Red Hat Linux discussion list > > Subject: Re: [redhat] Re: Remote Desktop/Firewall > > <snip> > > > <snip> > > > > > Frank > > > > Frank, > > Aside from this RDP service, can you confirm the firewall is > > correctly passing > > packets? Is the routing table correct to pass things back and forth? > > Yes absolutely. I've been using this machine as a home network gateway > and firewall (and I run a website and email server on it, the latter > even earns me money) very successfully for about 2 years(?) Pmfirewall > is great. Part of the reason I'm so blindingly ignorant is that I > haven't had to think about it. > > > Are IP Masquerading & ICMP Masquerading both enabled in the kernel? > > Yes definitely. I'm looking at the pmfirewall script, which consists of > several components. The initiating script speficially allows incoming > and outgoing icmp and then calls a masquerading script. > > > Can you confirm the port exchanges for RDP (protocols and > > what the server uses > > as a source/destination when it responds? > > I looked it up as best I could in several Internet sources and all I > could find is that RDP uses port 3389. > > > IPForwarding should also be enabled. To enable it add the > > following to > > /etc/rc.local or execute at command: > > echo "1" > /proc/sys/net/ipv4/ip_forward > > This statement is already in pmfirewall and it appears to run correctly. > > > (if working 'cat /proc/sys/net/ipv4/ip_forward' will return "1") > > > > I remember ipchains had a rule testing command, there are > > also a number of > > options you may look at for ststus "ipchains -L forward" for example. > > Here are the three statements I inserted at the end of the pmfirewall > script: > $IPCHAINS -A input -p tcp -s 64.232.168.34 3389 -d 66.93.153.62 3389 -j > REDIR 192.168.1.2 3389 > $IPCHAINS -A forward -p tcp -d 192.168.1.2 3389 -j ACCEPT > $IPCHAINS -A output -p tcp -d 192.168.1.2 3389 -j ACCEPT > > Running "ipchains -L input" appears to show that the first statement > above is not loading, so that must be what the error message refers to > when I try to restart pmfirewall. > > "ipchains -L input" shows (among other entries): > ACCEPT tcp anywhere 192.168.1.2 any-> 3389 > > > "ipchains -L output" shows (among other entries): > ACCEPT tcp anywhere 192.168.1.2 any-> 3389 > > Now I strongly suspect there is something wrong with the syntax of the > input statement. I tried several different variations, but could not > find one that would appear to do what I want that would not produce an > error message. The message BTW is, "Try '/sbin/ipchains -h' or > '/sbin/ipchains --help' for more information." If I rem out the > statement and then restart pmfirewall, the message does not appear. > > > What other error messages in the logs? > > Hundreds of messages a day reflecting denials from a wide variety of IP > addresses, but nothing, I think, out of the ordinary. > > > One option, if windows has something like tcpdump, or else > > set the linux box > > as a router, not a firewall, and monitor a successful > > connection to see what > > ports are used. > > You mean shut down my firewall -- on purpose? > > Ho brother, does that make me nervous, but I guess I can do it for a > couple of minutes. > > Frank > > > -- > > Pete Nesbitt, rhce Frank, Don't stop the fw yet, here are a few other thoughts.... The error your getting "Try '/sbin/ipchains -h' or '/sbin/ipchains --help' for more information." is definately a syntax error. You need to add the --sport and --dport in your rules. You may also want to add the interface reference. EXT_IF="eth0" LAN_IF="eth1" Try removing the local port references so on outbound, only the -dport matters, and on inbound, only the source port matter. that way if your client side uses something else, it should still work. Try: $IPCHAINS -A input -i $EXT_IF -p tcp -s 64.232.168.34 --sport 3389 -j REDIR 192.168.1.2 $IPCHAINS -A forward -p tcp -d 192.168.1.2 --sport 3389 -j ACCEPT $IPCHAINS -A output -i $LAN_IF -p tcp -d 192.168.1.2 --sport 3389 -j ACCEPT You probably also need to add the rules in both directions. outside->fw->inside inside->fw->outside (there was also some "redirect" problems with kernels 2.4.5 and 2.4.13) -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
