[redhat] Re: Remote Desktop/Firewall

Pete Nesbitt pete at linux1.ca
Mon May 3 15:10:41 UTC 2004 

On May 2, 2004 07:54 pm, Frank Reichenbacher wrote:
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com
> > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Pete Nesbitt
> > Sent: Tuesday, April 27, 2004 8:37 PM
> > To: frank at bio-con.com; General Red Hat Linux discussion list
> > Subject: Re: [redhat] Re: Remote Desktop/Firewall
> >
> > On April 27, 2004 07:46 pm, Frank Reichenbacher wrote:
> > > > -----Original Message-----
> > > > From: redhat-list-bounces at redhat.com
> > > > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Pete Nesbitt
> > > > Sent: Tuesday, April 27, 2004 6:35 PM
> > > > To: frank at bio-con.com; General Red Hat Linux discussion list
> > > > Subject: [redhat] Re: Remote Desktop/Firewall
> > > >
> > > > On April 27, 2004 06:06 pm, Frank Reichenbacher wrote:
> > > > > I have pmfirewall (www.pointman.org) running on my RH 7.0
> > > >
> > > > server/LAN
> > > >
> > > > > Router on a home office setup. It is a simple but effective
> > > >
> > > > ipchains
> > > >
> > > > > firewall script.
> > > > >
> > > > > I need to use my WinXP desktop on the inside of the home
> > > >
> > > > firewall to
> > > >
> > > > > communicate with my office WinXP, which is inside a
> > > >
> > > > firewalled router
> > > >
> > > > > on a Win2K LAN. The home side outernet IP is 66.93.153.62,
> > > >
> > > > innernet IP
> > > >
> > > > > 192.168.1.2. The office side outernet IP is 64.232.168.34, the
> > > > > innernet IP is 192.168.1.103.
> > > > >
> > > > > I didn't see in the script a place that closes off the RDP
> > > >
> > > > port 3389
> > > >
> > > > > specifically, so I added the following two rules at the
> >
> > end of the
> >
> > > > > script.
> > > > >
> > > > > $IPCHAINS -A input -p tcp -s 64.232.168.34
> >
> > --source-port 3389 -d
> >
> > > > > 192.168.1.2 --destination-port 3389 -j ACCEPT
> > > > >
> > > > > I've also tried combinations of ports 0:65535, 3389 and
> >
> > there is
> >
> > > > > no difference. The logs show that the firewall is
> >
> > denying a return
> >
> > > > > of bits from the 64.232.168.34 IP on port 65535. I am
> >
> > contacting
> >
> > > > > the remote network, but it is blocked on my end from
> >
> > returning any
> >
> > > > > packets.
> > > > >
> > > > > When I run ipchains from the prompt, I see that port 3389
> > > >
> > > > is open to
> > > >
> > > > > 64.232.168.34, I don't seem to see anything that
> >
> > appears to deny
> >
> > > > > it afterwards.
> > > > >
> > > > > Frank
> > > >
> > > > Frank,
> > > > Do you have input, forward and output chains for that port? (as I
> > > > recall, ipchains needs all 3 to make the path thru the firewall)
> > > >
> > > > Your routers/gateways must be doing NAT on the outside
> >
> > (presuming an
> >
> > > > internet connection), so it is not a destination of
> >
> > 192.168.1.2 that
> >
> > > > the input chain
> > > > needs to allow, it is destination 66.93.153.62
> > >
> > > I'll check on the other stuff. If I allow 66.93.153.62, how
> >
> > do I then
> >
> > > get packets to 192.168.1.2?
> > >
> > > Frank
> >
> > It's been a while since I used IPchains, but I beleive you
> > want something
> > like:
> >
> > $IPCHAINS -A input -p tcp -s 64.232.168.34 -sport 3389 -d
> > 66.93.153.62 -dport
> > 3389  -j REDIRECT  192.168.1.2
> > $IPCHAINS -A forward -p tcp -d 192.168.1.2 -dport 3389 -j
> > ACCEPT $IPCHAINS -A output -p tcp -d 192.168.1.2 -dport 3389 -j ACCEPT
>
> Here's what didn't generate error messages when I restarted the
> firewall:
>
> $IPCHAINS -A input -p tcp -s 64.232.168.34 3389 -d 66.93.153.62 3389 -j
> REDIR 192.168.1.2 3389
> $IPCHAINS -A forward -p tcp -d 192.168.1.2 3389 -j ACCEPT
> $IPCHAINS -A output -p tcp -d 192.168.1.2 3389 -j ACCEPT
>
> (RH barks at REDIRECT)
>
> And then this is what shows up in /var/log/messages:
> May  2 19:35:25 mollynet kernel: Packet log: input DENY eth0 PROTO=47
> 64.232.168.34:65535 66.93.153.62:65535 L=65 S=0x00 I=52375 F=0x0000 T=54
> (#42)
>
> It's always port 65535. It occurs to me that the Microsoft RDP is not
> only using port 3389. I think my connection request is received by the
> remote machine and then answered, but the firewall isn't allowing the
> return packets to be received on the local machine. I've tried a dozen
> configurations of port openings, but I admit that I have no idea of what
> would be correct, and, of course, none of them work.
 <snip>
> Frank
>

Frank,
Aside from this RDP service, can you confirm the firewall is correctly passing 
packets? Is the routing table correct to pass things back and forth?

Are IP Masquerading & ICMP Masquerading both enabled in the kernel?

Can you confirm the port exchanges for RDP (protocols and what the server uses 
as a source/destination when it responds?

IPForwarding should also be enabled. To enable it add the following to 
/etc/rc.local or execute at command:
echo "1" > /proc/sys/net/ipv4/ip_forward
(if working  'cat /proc/sys/net/ipv4/ip_forward'  will return "1")

I remember ipchains had a rule testing command, there are also a number of 
options you may look at for ststus "ipchains -L forward" for example.

What other error messages in the logs?

One option, if windows has something like tcpdump, or else set the linux box 
as a router, not a firewall, and monitor a successful connection to see what 
ports are used.
-- 
Pete Nesbitt, rhce

More information about the redhat-list mailing list