iptables and Remote Desktop Connection problems
omar ontiveros
tensegrity at elp.rr.com
Fri Oct 29 03:48:59 UTC 2004
Have you tried disabling the firewall to see if it works???
Also certain types of Remote Desktop software send GRE type packets that
can't be forwarded via NAT.
I hope some of this might help.
On Thu, 2004-10-28 at 21:05, Edward wrote:
> I'm sorry to ask a Windows based question, but I believe it is the Linux
> iptables firewall that is causing the problem.
>
> My brother and wife will be in Europe as of tomorrow, wanting to be able
> to go to an internet cafe, and with no other requisites, take over a
> Windows box on their local LAN.
>
> Ofcourse they leave today, and asked me to set this up yesterday, so any
> urgency is appreciated.
>
> I'm running Fedora core 1 on the box with the firewall blocking anything
> suspect I know of.
>
> I've set up a no-ip address for their dynamic address. This part is
> working fine.
>
> I've set up Remote Desktop Connection via the web on the target (host)
> PC, and this is also working flawlessly...INTERNALLY...
>
> I hit the box with the URL (names changed to protect the immense
> security risk I'm creating but my brother refuses to care about):
>
> http://<dynamicaddress>.hopto.org:<port>/tsweb/
>
> This works flawlessly internally. <dynamicaddress>.hopto.org resolves
> correctly, and the box pops up in my browser.
>
> However, externally it's another story. I get the RDC screen where you
> put in the computer name and screen size, after it downloads the
> required ActiveX control from the host box.
>
> If I put in the computer name - it tells me it can't find that host on
> the network.
>
> If I try to put in the internal ip address, lets call it <internalip>,
> it tells me the host is busy or a network problem.
>
> According to ALL the docs I've read on how to set this up, all I need to
> forward are ports 3389 and <port> which defaults to 80, but can be any
> arbitrary number.
>
> (I've tried with both 80 AND <port>, just to eliminate stupidity).
>
> Here's my iptables script:
>
> ---
>
> #!/bin/sh
> #
> # rc.firewall-2.4
> FWVER=0.73
> #
> # Initial SIMPLE IP Masquerade test for 2.4.x kernels
> # using IPTABLES.
> #
> # Once IP Masquerading has been tested, with this simple
> # ruleset, it is highly recommended to use a stronger
> # IPTABLES ruleset either given later in this HOWTO or
> # from another reputable resource.
> #
> #
> #
> # Log:
> # 0.73 - REJECT is not a legal policy yet; back to DROP
> # 0.72 - Changed the default block behavior to REJECT not DROP
> # 0.71 - Added clarification that PPPoE users need to use
> # "ppp0" instead of "eth0" for their external interface
> # 0.70 - Added commented option for IRC nat module
> # - Added additional use of environment variables
> # - Added additional formatting
> # 0.63 - Added support for the IRC IPTABLES module
> # 0.62 - Fixed a typo on the MASQ enable line that used eth0
> # instead of $EXTIF
> # 0.61 - Changed the firewall to use variables for the internal
> # and external interfaces.
> # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
> # all forwarded packets but it didn't have a rule to ACCEPT
> # any packets to be forwarded either
> # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
> # 0.50 - Initial draft
> #
>
> echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
>
>
>
> # The location of the iptables and kernel module programs
> #
> # If your Linux distribution came with a copy of iptables,
> # most likely all the programs will be located in /sbin. If
> # you manually compiled iptables, the default location will
> # be in /usr/local/sbin
> #
> # ** Please use the "whereis iptables" command to figure out
> # ** where your copy is and change the path below to reflect
> # ** your setup
> #
> IPTABLES=/sbin/iptables
> #IPTABLES=/usr/local/sbin/iptables
> DEPMOD=/sbin/depmod
> INSMOD=/sbin/insmod
> FPMAIN=<internalip>
> RDPPORT=<port>
>
>
> #Setting the EXTERNAL and INTERNAL interfaces for the network
> #
> # Each IP Masquerade network needs to have at least one
> # external and one internal network. The external network
> # is where the natting will occur and the internal network
> # should preferably be addressed with a RFC1918 private address
> # scheme.
> #
> # For this example, "eth0" is external and "eth1" is internal"
> #
> #
> # NOTE: If this doesnt EXACTLY fit your configuration, you must
> # change the EXTIF or INTIF variables above. For example:
> #
> # If you are a PPPoE or analog modem user:
> #
> # EXTIF="ppp0"
> #
> #
> EXTIF="ppp0"
> INTIF="ath0"
> echo " External Interface: $EXTIF"
> echo " Internal Interface: $INTIF"
>
>
> #======================================================================
> #== No editing beyond this line is required for initial MASQ testing ==
>
>
> echo -en " loading modules: "
>
> # Need to verify that all modules have all required dependencies
> #
> echo " - Verifying that all kernel modules are ok"
> $DEPMOD -a
>
> # With the new IPTABLES code, the core MASQ functionality is now either
> # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
> # options as MODULES. If your kernel is compiled correctly, there is
> # NO need to load the kernel modules manually.
> #
> # NOTE: The following items are listed ONLY for informational reasons.
> # There is no reason to manual load these modules unless your
> # kernel is either mis-configured or you intentionally disabled
> # the kernel module autoloader.
> #
>
> # Upon the commands of starting up IP Masq on the server, the
> # following kernel modules will be automatically loaded:
> #
> # NOTE: Only load the IP MASQ modules you need. All current IP MASQ
> # modules are shown below but are commented out from loading.
> # ===============================================================
>
> echo
> "----------------------------------------------------------------------"
>
> #Load the main body of the IPTABLES module - "iptable"
> # - Loaded automatically when the "iptables" command is invoked
> #
> # - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_tables, "
> $INSMOD ip_tables
>
>
> #Load the IPTABLES filtering module - "iptable_filter"
> # - Loaded automatically when filter policies are activated
>
>
> #Load the stateful connection tracking framework - "ip_conntrack"
> #
> # The conntrack module in itself does nothing without other specific
> # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
> # module
> #
> # - This module is loaded automatically when MASQ functionality is
> # enabled
> #
> # - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_conntrack, "
> $INSMOD ip_conntrack
>
>
> #Load the FTP tracking mechanism for full FTP tracking
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "ip_conntrack_ftp, "
> $INSMOD ip_conntrack_ftp
>
>
> #Load the IRC tracking mechanism for full IRC tracking
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "ip_conntrack_irc, "
> $INSMOD ip_conntrack_irc
>
>
> #Load the general IPTABLES NAT code - "iptable_nat"
> # - Loaded automatically when MASQ functionality is turned on
> #
> # - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "iptable_nat, "
> $INSMOD iptable_nat
>
>
> #Loads the FTP NAT functionality into the core IPTABLES code
> # Required to support non-PASV FTP.
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "ip_nat_ftp, "
> $INSMOD ip_nat_ftp
>
>
> #Loads the IRC NAT functionality into the core IPTABLES code
> # Require to support NAT of IRC DCC requests
> #
> # Disabled by default -- remove the "#" on the next line to activate
> #
> #echo -e "ip_nat_irc"
> #$INSMOD ip_nat_irc
>
> echo
> "----------------------------------------------------------------------"
>
> # Just to be complete, here is a list of the remaining kernel modules
> # and their function. Please note that several modules should be only
> # loaded by the correct master kernel module for proper operation.
> # --------------------------------------------------------------------
> #
> # ipt_mark - this target marks a given packet for future action.
> # This automatically loads the ipt_MARK module
> #
> # ipt_tcpmss - this target allows to manipulate the TCP MSS
> # option for braindead remote firewalls.
> # This automatically loads the ipt_TCPMSS module
> #
> # ipt_limit - this target allows for packets to be limited to
> # to many hits per sec/min/hr
> #
> # ipt_multiport - this match allows for targets within a range
> # of port numbers vs. listing each port individually
> #
> # ipt_state - this match allows to catch packets with various
> # IP and TCP flags set/unset
> #
> # ipt_unclean - this match allows to catch packets that have invalid
> # IP/TCP flags set
> #
> # iptable_filter - this module allows for packets to be DROPped,
> # REJECTed, or LOGged. This module automatically
> # loads the following modules:
> #
> # ipt_LOG - this target allows for packets to be
> # logged
> #
> # ipt_REJECT - this target DROPs the packet and returns
> # a configurable ICMP packet back to the
> # sender.
> #
> # iptable_mangle - this target allows for packets to be manipulated
> # for things like the TCPMSS option, etc.
>
> echo -e " Done loading modules.\n"
>
>
>
> #CRITICAL: Enable IP forwarding since it is disabled by default since
> #
> # Redhat Users: you may try changing the options in
> # /etc/sysconfig/network from:
> #
> # FORWARD_IPV4=false
> # to
> # FORWARD_IPV4=true
> #
> echo " Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
>
> # Dynamic IP users:
> #
> # If you get your IP address dynamically from SLIP, PPP, or DHCP,
> # enable this following option. This enables dynamic-address hacking
> # which makes the life with Diald and similar programs much easier.
> #
> echo " Enabling DynamicAddr.."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
>
> # Enable simple IP forwarding and Masquerading
> #
> # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
> #
> # NOTE #2: The following is an example for an internal LAN address in the
> # 192.168.0.x network with a 255.255.255.0 or a "24" bit
> subnet mask
> # connecting to the Internet on external interface "eth0". This
> # example will MASQ internal traffic out to the Internet but not
> # allow non-initiated traffic into your internal network.
> #
> #
> # ** Please change the above network numbers, subnet mask, and your
> # *** Internet connection interface name to match your setup
> #
>
>
> #Clearing any previous configuration
> #
> # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
> # The default for FORWARD is DROP (REJECT is not a valid policy)
> #
>
> LSMOD=/sbin/lsmod
> DEPMOD=/sbin/depmod
> INSMOD=/sbin/insmod
> GREP=/bin/grep
> AWK=/bin/awk
> SED=/bin/sed
> IFCONFIG=/sbin/ifconfig
> EXTIP="`$IFCONFIG $EXTIF | $AWK \
> /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
> echo " I think the external IP is: " $EXTIP
>
> echo " Clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
>
> echo " FWD: Allow all connections OUT and only existing and related
> ones IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
>
> #Added for RDP
> echo "Setting up FPMain for Remote Desktop Connection"
> $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $FPMAIN --dport 3389
> -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $FPMAIN --dport
> $RDPPORT -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport
> 1024:65535 --dport 3889 -j DNAT --to $FPMAIN:3389
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport
> 1024:65535 --dport $RDPPORT -j DNAT --to $FPMAIN:$RDPPORT
>
> echo " Dropping NetBIOS Requests from outside"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 137:139 -j DROP
> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 137:139 -j DROP
>
> echo " Dropping ICMP from outside"
> $IPTABLES -A INPUT -i $EXTIF -p icmp -j DROP
> $IPTABLES -A FORWARD -j LOG
>
> echo " Dropping SSH from outside"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j DROP
>
> echo " Dropping outside SMTP"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j DROP
>
> echo " Dropping outside POP"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j DROP
>
> echo " Dropping outside Ident"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j DROP
>
> echo " Dropping outside Remote Grab"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 7000 -j DROP
>
> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
>
>
> echo -e "\nDone.\n"
>
> ---
>
> I've used the same sort of "forwarding" idea on another server to send
> emule packets to my Windows box and that works.
>
> I'm using the same syntax here to forward 3398 and <port> to
> <internalip> internally. (I think).
>
> Any idea what could be wrong?
>
> Oh, and obviously <dynamicaddress>, <internalip>, and <port> are real
> values, I've just hidden them here because I'm anal about security.
>
> Regards,
> Ed.
More information about the fedora-list
mailing list