[redhat] Re: Remote Desktop/Firewall
Frank Reichenbacher
frank at bio-con.com
Mon May 3 02:54:59 UTC 2004
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Pete Nesbitt
> Sent: Tuesday, April 27, 2004 8:37 PM
> To: frank at bio-con.com; General Red Hat Linux discussion list
> Subject: Re: [redhat] Re: Remote Desktop/Firewall
>
>
> On April 27, 2004 07:46 pm, Frank Reichenbacher wrote:
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com
> > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Pete Nesbitt
> > > Sent: Tuesday, April 27, 2004 6:35 PM
> > > To: frank at bio-con.com; General Red Hat Linux discussion list
> > > Subject: [redhat] Re: Remote Desktop/Firewall
> > >
> > > On April 27, 2004 06:06 pm, Frank Reichenbacher wrote:
> > > > I have pmfirewall (www.pointman.org) running on my RH 7.0
> > >
> > > server/LAN
> > >
> > > > Router on a home office setup. It is a simple but effective
> > >
> > > ipchains
> > >
> > > > firewall script.
> > > >
> > > > I need to use my WinXP desktop on the inside of the home
> > >
> > > firewall to
> > >
> > > > communicate with my office WinXP, which is inside a
> > >
> > > firewalled router
> > >
> > > > on a Win2K LAN. The home side outernet IP is 66.93.153.62,
> > >
> > > innernet IP
> > >
> > > > 192.168.1.2. The office side outernet IP is 64.232.168.34, the
> > > > innernet IP is 192.168.1.103.
> > > >
> > > > I didn't see in the script a place that closes off the RDP
> > >
> > > port 3389
> > >
> > > > specifically, so I added the following two rules at the
> end of the
> > > > script.
> > > >
> > > > $IPCHAINS -A input -p tcp -s 64.232.168.34
> --source-port 3389 -d
> > > > 192.168.1.2 --destination-port 3389 -j ACCEPT
> > > >
> > > > I've also tried combinations of ports 0:65535, 3389 and
> there is
> > > > no difference. The logs show that the firewall is
> denying a return
> > > > of bits from the 64.232.168.34 IP on port 65535. I am
> contacting
> > > > the remote network, but it is blocked on my end from
> returning any
> > > > packets.
> > > >
> > > > When I run ipchains from the prompt, I see that port 3389
> > >
> > > is open to
> > >
> > > > 64.232.168.34, I don't seem to see anything that
> appears to deny
> > > > it afterwards.
> > > >
> > > > Frank
> > >
> > > Frank,
> > > Do you have input, forward and output chains for that port? (as I
> > > recall, ipchains needs all 3 to make the path thru the firewall)
> > >
> > > Your routers/gateways must be doing NAT on the outside
> (presuming an
> > > internet connection), so it is not a destination of
> 192.168.1.2 that
> > > the input chain
> > > needs to allow, it is destination 66.93.153.62
> >
> > I'll check on the other stuff. If I allow 66.93.153.62, how
> do I then
> > get packets to 192.168.1.2?
> >
> > Frank
>
>
> It's been a while since I used IPchains, but I beleive you
> want something
> like:
>
> $IPCHAINS -A input -p tcp -s 64.232.168.34 -sport 3389 -d
> 66.93.153.62 -dport
> 3389 -j REDIRECT 192.168.1.2
> $IPCHAINS -A forward -p tcp -d 192.168.1.2 -dport 3389 -j
> ACCEPT $IPCHAINS -A output -p tcp -d 192.168.1.2 -dport 3389 -j ACCEPT
Here's what didn't generate error messages when I restarted the
firewall:
$IPCHAINS -A input -p tcp -s 64.232.168.34 3389 -d 66.93.153.62 3389 -j
REDIR 192.168.1.2 3389
$IPCHAINS -A forward -p tcp -d 192.168.1.2 3389 -j ACCEPT
$IPCHAINS -A output -p tcp -d 192.168.1.2 3389 -j ACCEPT
(RH barks at REDIRECT)
And then this is what shows up in /var/log/messages:
May 2 19:35:25 mollynet kernel: Packet log: input DENY eth0 PROTO=47
64.232.168.34:65535 66.93.153.62:65535 L=65 S=0x00 I=52375 F=0x0000 T=54
(#42)
It's always port 65535. It occurs to me that the Microsoft RDP is not
only using port 3389. I think my connection request is received by the
remote machine and then answered, but the firewall isn't allowing the
return packets to be received on the local machine. I've tried a dozen
configurations of port openings, but I admit that I have no idea of what
would be correct, and, of course, none of them work.
>
> You should have a look at:
> http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html
_single/IPCHAINS-HOWTO.html
I read this, but I am still too much of a newbie to be aable to apply it
to my purpose. REDIRECT and REDIR, for example, are barely mentioned.
Frank
--
Pete Nesbitt, rhce
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list