[K12OSN] firewall question

Peter Scheie peter at scheie.homedns.org
Mon Mar 3 15:21:35 UTC 2008

I've run into this kind of problem before.  Assuming server C is a dual-nic 
system, if you look carefully at the firewall rules I think you will see that 
eth0, for the clients, allows all connections, as it should be.  eth1, on the 
other hand, usually blocks all incoming traffic except what is ESTABLISHED or 
RELATED (those are formal iptables terms; I'm not yelling or adding emphasis). 
As I recall, what has probably broken on your system is the FORWARD chain having 
no rules, and/or a kernel setting (/proc/net/ip_conntrack?) being turned off. 
The result is that your thin clients work, because their apps are running on the 
server and thus the traffic only goes via the OUTPUT chain; but other clients, 
like those coming from the wireless connection and then through the server, are 
not getting their traffic forwarded.  I don't have access to a system ATM to 
more fully check/recall the details.  Probably the most expedient thing to do 
would be to jump onto the #ltsp channel on IRC (there's a link and instructions 
at the ltsp.org website) and ask the folks there.


Vi Thai wrote:
> There is no firewall for the entire school.  This K12LTSP server
> contacts the Openserver for students and staff to log in.  The
> Openserver has a firewall with only eth0 (private) being trusted so do
> the K12LTSP servers even need to have their firewalls turned on?  The
> reason why I ask is because all the thin clients can log on fine now.
> The firewall settings for the K12LTSP servers are set to trust
> nothing, not even NFS or Samaba, and they are still able to log on.
> However now I am not able to get wireless to work on any of these
> servers now.  Before when the firewall was turned off I was able to
> get wireless to work behind "server c" but now that I've turned on the
> firewall on all k12ltsp spervers, wireless no longer works if I plug a
> wireless router into a switch on "server c."  I don't want to expose
> the entire system just get a handful of students wireless access.
> Thanks for everyones input.  I really appreciate it.
> Vi
> 2008/3/1 Kemp, Levi <lnkemp at bolivar.k12.mo.us>:
>> -----Original Message-----
>>  From: k12osn-bounces at redhat.com on behalf of Vi Thai
>>  Sent: Fri 2/29/2008 6:58 PM
>>  To: k12osn at redhat.com
>>  Subject: [K12OSN] firewall question
>>  Hi everyone!  I'm the technology coordinator of a small school in
>>  Glenburn, Maine.  I have two separate but related issues.
>>  1...
>>  I recently changed the firewall settings on three of my k12ltsp
>>  servers that are running Fedora 6.  I received this message from my
>>  network manager from server a: "outbound port tcp/22 (secure shell)
>>  scanning detected."  I'm not really sure what this meant, so I looked
>>  at the firewall settings on this particular server and noticed that
>>  one of the trusted ports was SSH, which I read uses port 22.  We only
>>  allow users to login from clients from within ou
>>  r school and no one from outside school can log in, so I didn't think
>>  turning off SSH would be a problem.  After turning SSH off some of the
>>  clients on the server could not log in.  I reset the server and
>>  everything was back to normal.  Is this what I should have done to
>>  address the message I received?  There hasn't been an update since the
>>  summer so should I do a "yum update" in the terminal to ensure that
>>  all software on the server is updated?
>>  2...
>>  I then went to look at the firewall settings for the other two servers
>>  ("server b" and "server c") and noticed that neither of the firewalls
>>  on the servers were even on!  I quickly changed the settings so that
>>  the firewall was enabled with no exceptions.  I reset the server and
>>  everyone was able to connect after the restart.  I thought everything
>>  was fine until a few minutes later when a teacher called and indicated
>>  that she couldn't get onto the wireless airport out in her portable (I
>>  had put an apple wireless airport out there plugged into the WAN port
>>  which was plugged into a switch on "server c").  The airport was
>>  working fine before I turned on the firewall and even if turn the
>>  firewall off I still cannot get the airport to work.  Anyone have an
>>  thoughts on how I could solve this issue.  I really don't want to turn
>>  the firewall off even though it has been on since I've been here last
>>  October.  My suspicion is that the firewall has been disabled for over
>>  two years now with no apparent problems.  We have been having a
>>  network slow down so perhaps there has been a compromise on one of
>>  these servers and I have not been informed yet.  I know it's a silly
>>  question, but should this firewall even be turned on?  I'm new to this
>>  type of network and any help provided would be greatly appreciated.
>>  Vi
>>  _______________________________________________
>>  K12OSN mailing list
>>  K12OSN at redhat.com
>>  https://www.redhat.com/mailman/listinfo/k12osn
>>  For more info see <http://www.k12os.org>
>>   I'd have to look it up but I recall someone asking this question before. The issue was with clients, both thin clients and regular fat clients on the DHCP side of the server not getting through. The solution was to open up ports on that NIC, the internal one so that all the traffic on the internal network could get through. I believe they used Webmin to do this easier. This should allow you to keep the external firewall on to protect the server and allow anyone on the inside to get through.
>>   As far as you second question goes, do you have an external firewall for the entire school? If so having one on your K12LTSP server may not be necessary, but if you can get it working it couldn't hurt.
>>  Levi
>> _______________________________________________
>>  K12OSN mailing list
>>  K12OSN at redhat.com
>>  https://www.redhat.com/mailman/listinfo/k12osn
>>  For more info see <http://www.k12os.org>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

More information about the K12OSN mailing list