[redhat] Re: Remote Desktop/Firewall

Frank Reichenbacher frank at bio-con.com
Tue May 4 01:37:05 UTC 2004 


> -----Original Message-----
> From: redhat-list-bounces at redhat.com 
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of Pete Nesbitt
> Sent: Monday, May 03, 2004 8:11 AM
> To: frank at bio-con.com; General Red Hat Linux discussion list
> Subject: Re: [redhat] Re: Remote Desktop/Firewall


<snip>


> > > It's been a while since I used IPchains, but I beleive you want 
> > > something
> > > like:
> > >
> > > $IPCHAINS -A input -p tcp -s 64.232.168.34 -sport 3389 -d 
> > > 66.93.153.62 -dport 3389  -j REDIRECT  192.168.1.2
> > > $IPCHAINS -A forward -p tcp -d 192.168.1.2 -dport 3389 -j
> > > ACCEPT $IPCHAINS -A output -p tcp -d 192.168.1.2 -dport 
> 3389 -j ACCEPT
> >
> > Here's what didn't generate error messages when I restarted the
> > firewall:
> >
> > $IPCHAINS -A input -p tcp -s 64.232.168.34 3389 -d 
> 66.93.153.62 3389 
> > -j REDIR 192.168.1.2 3389 $IPCHAINS -A forward -p tcp -d 
> 192.168.1.2 
> > 3389 -j ACCEPT $IPCHAINS -A output -p tcp -d 192.168.1.2 3389 -j 
> > ACCEPT
> >
> > (RH barks at REDIRECT)
> >
> > And then this is what shows up in /var/log/messages:
> > May  2 19:35:25 mollynet kernel: Packet log: input DENY 
> eth0 PROTO=47 
> > 64.232.168.34:65535 66.93.153.62:65535 L=65 S=0x00 I=52375 F=0x0000 
> > T=54
> > (#42)
> >
> > It's always port 65535. It occurs to me that the Microsoft 
> RDP is not 
> > only using port 3389. I think my connection request is 
> received by the 
> > remote machine and then answered, but the firewall isn't 
> allowing the 
> > return packets to be received on the local machine. I've 
> tried a dozen 
> > configurations of port openings, but I admit that I have no idea of 
> > what would be correct, and, of course, none of them work.
>  <snip>
> > Frank
> >
> 
> Frank,
> Aside from this RDP service, can you confirm the firewall is 
> correctly passing 
> packets? Is the routing table correct to pass things back and forth?

Yes absolutely. I've been using this machine as a home network gateway
and firewall (and I run a website and email server on it, the latter
even earns me money) very successfully for about 2 years(?) Pmfirewall
is great. Part of the reason I'm so blindingly ignorant is that I
haven't had to think about it. 


> 
> Are IP Masquerading & ICMP Masquerading both enabled in the kernel?

Yes definitely. I'm looking at the pmfirewall script, which consists of
several components. The initiating script speficially allows incoming
and outgoing icmp and then calls a masquerading script. 


> 
> Can you confirm the port exchanges for RDP (protocols and 
> what the server uses 
> as a source/destination when it responds?

I looked it up as best I could in several Internet sources and all I
could find is that RDP uses port 3389.


> 
> IPForwarding should also be enabled. To enable it add the 
> following to 
> /etc/rc.local or execute at command:
> echo "1" > /proc/sys/net/ipv4/ip_forward

This statement is already in pmfirewall and it appears to run correctly.


> (if working  'cat /proc/sys/net/ipv4/ip_forward'  will return "1")
> 
> I remember ipchains had a rule testing command, there are 
> also a number of 
> options you may look at for ststus "ipchains -L forward" for example.


Here are the three statements I inserted at the end of the pmfirewall
script:
$IPCHAINS -A input -p tcp -s 64.232.168.34 3389 -d 66.93.153.62 3389 -j
REDIR 192.168.1.2 3389 
$IPCHAINS -A forward -p tcp -d 192.168.1.2 3389 -j ACCEPT 
$IPCHAINS -A output -p tcp -d 192.168.1.2 3389 -j ACCEPT

Running "ipchains -L input" appears to show that the first statement
above is not loading, so that must be what the error message refers to
when I try to restart pmfirewall. 

"ipchains -L input" shows (among other entries):
ACCEPT   tcp    anywhere    192.168.1.2    any->  3389


"ipchains -L output" shows (among other entries):
ACCEPT   tcp    anywhere    192.168.1.2    any->  3389

Now I strongly suspect there is something wrong with the syntax of the
input statement. I tried several different variations, but could not
find one that would appear to do what I want that would not produce an
error message. The message BTW is, "Try '/sbin/ipchains -h' or
'/sbin/ipchains --help' for more information." If I rem out the
statement and then restart pmfirewall, the message does not appear.


> 
> What other error messages in the logs?

Hundreds of messages a day reflecting denials from a wide variety of IP
addresses, but nothing, I think, out of the ordinary. 


> 
> One option, if windows has something like tcpdump, or else 
> set the linux box 
> as a router, not a firewall, and monitor a successful 
> connection to see what 
> ports are used.

You mean shut down my firewall -- on purpose? 

Ho brother, does that make me nervous, but I guess I can do it for a
couple of minutes.

Frank



> -- 
> Pete Nesbitt, rhce
> 
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list