[redhat] Re: Remote Desktop/Firewall

Frank Reichenbacher frank at bio-con.com
Mon May 3 02:54:59 UTC 2004 


> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Pete Nesbitt
> Sent: Tuesday, April 27, 2004 8:37 PM
> To: frank at bio-con.com; General Red Hat Linux discussion list
> Subject: Re: [redhat] Re: Remote Desktop/Firewall
> 
> 
> On April 27, 2004 07:46 pm, Frank Reichenbacher wrote:
> > > -----Original Message-----
> > > From: redhat-list-bounces at redhat.com 
> > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Pete Nesbitt
> > > Sent: Tuesday, April 27, 2004 6:35 PM
> > > To: frank at bio-con.com; General Red Hat Linux discussion list
> > > Subject: [redhat] Re: Remote Desktop/Firewall
> > >
> > > On April 27, 2004 06:06 pm, Frank Reichenbacher wrote:
> > > > I have pmfirewall (www.pointman.org) running on my RH 7.0
> > >
> > > server/LAN
> > >
> > > > Router on a home office setup. It is a simple but effective
> > >
> > > ipchains
> > >
> > > > firewall script.
> > > >
> > > > I need to use my WinXP desktop on the inside of the home
> > >
> > > firewall to
> > >
> > > > communicate with my office WinXP, which is inside a
> > >
> > > firewalled router
> > >
> > > > on a Win2K LAN. The home side outernet IP is 66.93.153.62,
> > >
> > > innernet IP
> > >
> > > > 192.168.1.2. The office side outernet IP is 64.232.168.34, the 
> > > > innernet IP is 192.168.1.103.
> > > >
> > > > I didn't see in the script a place that closes off the RDP
> > >
> > > port 3389
> > >
> > > > specifically, so I added the following two rules at the 
> end of the 
> > > > script.
> > > >
> > > > $IPCHAINS -A input -p tcp -s 64.232.168.34 
> --source-port 3389 -d 
> > > > 192.168.1.2 --destination-port 3389 -j ACCEPT
> > > >
> > > > I've also tried combinations of ports 0:65535, 3389 and 
> there is 
> > > > no difference. The logs show that the firewall is 
> denying a return 
> > > > of bits from the 64.232.168.34 IP on port 65535. I am 
> contacting 
> > > > the remote network, but it is blocked on my end from 
> returning any 
> > > > packets.
> > > >
> > > > When I run ipchains from the prompt, I see that port 3389
> > >
> > > is open to
> > >
> > > > 64.232.168.34, I don't seem to see anything that 
> appears to deny 
> > > > it afterwards.
> > > >
> > > > Frank
> > >
> > > Frank,
> > > Do you have input, forward and output chains for that port? (as I 
> > > recall, ipchains needs all 3 to make the path thru the firewall)
> > >
> > > Your routers/gateways must be doing NAT on the outside 
> (presuming an 
> > > internet connection), so it is not a destination of 
> 192.168.1.2 that
> > > the input chain
> > > needs to allow, it is destination 66.93.153.62
> >
> > I'll check on the other stuff. If I allow 66.93.153.62, how 
> do I then 
> > get packets to 192.168.1.2?
> >
> > Frank
> 
> 
> It's been a while since I used IPchains, but I beleive you 
> want something 
> like:
> 
> $IPCHAINS -A input -p tcp -s 64.232.168.34 -sport 3389 -d 
> 66.93.153.62 -dport 
> 3389  -j REDIRECT  192.168.1.2
> $IPCHAINS -A forward -p tcp -d 192.168.1.2 -dport 3389 -j 
> ACCEPT $IPCHAINS -A output -p tcp -d 192.168.1.2 -dport 3389 -j ACCEPT

Here's what didn't generate error messages when I restarted the
firewall:

$IPCHAINS -A input -p tcp -s 64.232.168.34 3389 -d 66.93.153.62 3389 -j
REDIR 192.168.1.2 3389
$IPCHAINS -A forward -p tcp -d 192.168.1.2 3389 -j ACCEPT
$IPCHAINS -A output -p tcp -d 192.168.1.2 3389 -j ACCEPT

(RH barks at REDIRECT)

And then this is what shows up in /var/log/messages:
May  2 19:35:25 mollynet kernel: Packet log: input DENY eth0 PROTO=47
64.232.168.34:65535 66.93.153.62:65535 L=65 S=0x00 I=52375 F=0x0000 T=54
(#42)

It's always port 65535. It occurs to me that the Microsoft RDP is not
only using port 3389. I think my connection request is received by the
remote machine and then answered, but the firewall isn't allowing the
return packets to be received on the local machine. I've tried a dozen
configurations of port openings, but I admit that I have no idea of what
would be correct, and, of course, none of them work.


> 
> You should have a look at: 
> http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html
_single/IPCHAINS-HOWTO.html

I read this, but I am still too much of a newbie to be aable to apply it
to my purpose. REDIRECT and REDIR, for example, are barely mentioned.

Frank



-- 
Pete Nesbitt, rhce


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list