[redhat] Re: Remote Desktop/Firewall

Pete Nesbitt pete at linux1.ca
Tue May 4 04:46:49 UTC 2004 

On May 3, 2004 06:37 pm, Frank Reichenbacher wrote:
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com
> > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Pete Nesbitt
> > Sent: Monday, May 03, 2004 8:11 AM
> > To: frank at bio-con.com; General Red Hat Linux discussion list
> > Subject: Re: [redhat] Re: Remote Desktop/Firewall
>
> <snip>
>

> >  <snip>
> >
> > > Frank
> >
> > Frank,
> > Aside from this RDP service, can you confirm the firewall is
> > correctly passing
> > packets? Is the routing table correct to pass things back and forth?
>
> Yes absolutely. I've been using this machine as a home network gateway
> and firewall (and I run a website and email server on it, the latter
> even earns me money) very successfully for about 2 years(?) Pmfirewall
> is great. Part of the reason I'm so blindingly ignorant is that I
> haven't had to think about it.
>
> > Are IP Masquerading & ICMP Masquerading both enabled in the kernel?
>
> Yes definitely. I'm looking at the pmfirewall script, which consists of
> several components. The initiating script speficially allows incoming
> and outgoing icmp and then calls a masquerading script.
>
> > Can you confirm the port exchanges for RDP (protocols and
> > what the server uses
> > as a source/destination when it responds?
>
> I looked it up as best I could in several Internet sources and all I
> could find is that RDP uses port 3389.
>
> > IPForwarding should also be enabled. To enable it add the
> > following to
> > /etc/rc.local or execute at command:
> > echo "1" > /proc/sys/net/ipv4/ip_forward
>
> This statement is already in pmfirewall and it appears to run correctly.
>
> > (if working  'cat /proc/sys/net/ipv4/ip_forward'  will return "1")
> >
> > I remember ipchains had a rule testing command, there are
> > also a number of
> > options you may look at for ststus "ipchains -L forward" for example.
>
> Here are the three statements I inserted at the end of the pmfirewall
> script:
> $IPCHAINS -A input -p tcp -s 64.232.168.34 3389 -d 66.93.153.62 3389 -j
> REDIR 192.168.1.2 3389
> $IPCHAINS -A forward -p tcp -d 192.168.1.2 3389 -j ACCEPT
> $IPCHAINS -A output -p tcp -d 192.168.1.2 3389 -j ACCEPT
>
> Running "ipchains -L input" appears to show that the first statement
> above is not loading, so that must be what the error message refers to
> when I try to restart pmfirewall.
>
> "ipchains -L input" shows (among other entries):
> ACCEPT   tcp    anywhere    192.168.1.2    any->  3389
>
>
> "ipchains -L output" shows (among other entries):
> ACCEPT   tcp    anywhere    192.168.1.2    any->  3389
>
> Now I strongly suspect there is something wrong with the syntax of the
> input statement. I tried several different variations, but could not
> find one that would appear to do what I want that would not produce an
> error message. The message BTW is, "Try '/sbin/ipchains -h' or
> '/sbin/ipchains --help' for more information." If I rem out the
> statement and then restart pmfirewall, the message does not appear.
>
> > What other error messages in the logs?
>
> Hundreds of messages a day reflecting denials from a wide variety of IP
> addresses, but nothing, I think, out of the ordinary.
>
> > One option, if windows has something like tcpdump, or else
> > set the linux box
> > as a router, not a firewall, and monitor a successful
> > connection to see what
> > ports are used.
>
> You mean shut down my firewall -- on purpose?
>
> Ho brother, does that make me nervous, but I guess I can do it for a
> couple of minutes.
>
> Frank
>
> > --
> > Pete Nesbitt, rhce

Frank,
Don't stop the fw yet, here are a few other thoughts.... 

The error your getting "Try '/sbin/ipchains -h' or '/sbin/ipchains --help' for 
more information." is definately a syntax error.
You need to add the --sport and --dport in your rules. 

You may also want to add the interface reference.
EXT_IF="eth0"
LAN_IF="eth1"

Try removing the local port references so on outbound, only the -dport 
matters, and on inbound, only the source port matter. that way if your client 
side uses something else, it should still work.

Try:
$IPCHAINS -A input  -i $EXT_IF -p tcp -s 64.232.168.34 --sport 3389  -j REDIR 
192.168.1.2
$IPCHAINS -A forward  -p tcp -d 192.168.1.2 --sport 3389 -j ACCEPT
$IPCHAINS -A output  -i $LAN_IF -p tcp -d 192.168.1.2 --sport 3389 -j ACCEPT

You probably also need to add the rules in both directions.
outside->fw->inside
inside->fw->outside

(there was also some "redirect" problems with kernels 2.4.5 and 2.4.13)

-- 
Pete Nesbitt, rhce

More information about the redhat-list mailing list