Re: [redhat] Re: Remote Desktop/Firewall

From: Pete Nesbitt (pete_at_linux1.ca)
Date: 05/03/04

  • Next message: Matthew Saltzman: "Re: Help Needed" 
    To: frank@bio-con.com, General Red Hat Linux discussion list <redhat-list@redhat.com>
Date: Mon, 3 May 2004 08:10:41 -0700

    On May 2, 2004 07:54 pm, Frank Reichenbacher wrote:
    > > -----Original Message-----
    > > From: redhat-list-bounces@redhat.com
    > > [mailto:redhat-list-bounces@redhat.com] On Behalf Of Pete Nesbitt
    > > Sent: Tuesday, April 27, 2004 8:37 PM
    > > To: frank@bio-con.com; General Red Hat Linux discussion list
    > > Subject: Re: [redhat] Re: Remote Desktop/Firewall
    > >
    > > On April 27, 2004 07:46 pm, Frank Reichenbacher wrote:
    > > > > -----Original Message-----
    > > > > From: redhat-list-bounces@redhat.com
    > > > > [mailto:redhat-list-bounces@redhat.com] On Behalf Of Pete Nesbitt
    > > > > Sent: Tuesday, April 27, 2004 6:35 PM
    > > > > To: frank@bio-con.com; General Red Hat Linux discussion list
    > > > > Subject: [redhat] Re: Remote Desktop/Firewall
    > > > >
    > > > > On April 27, 2004 06:06 pm, Frank Reichenbacher wrote:
    > > > > > I have pmfirewall (www.pointman.org) running on my RH 7.0
    > > > >
    > > > > server/LAN
    > > > >
    > > > > > Router on a home office setup. It is a simple but effective
    > > > >
    > > > > ipchains
    > > > >
    > > > > > firewall script.
    > > > > >
    > > > > > I need to use my WinXP desktop on the inside of the home
    > > > >
    > > > > firewall to
    > > > >
    > > > > > communicate with my office WinXP, which is inside a
    > > > >
    > > > > firewalled router
    > > > >
    > > > > > on a Win2K LAN. The home side outernet IP is 66.93.153.62,
    > > > >
    > > > > innernet IP
    > > > >
    > > > > > 192.168.1.2. The office side outernet IP is 64.232.168.34, the
    > > > > > innernet IP is 192.168.1.103.
    > > > > >
    > > > > > I didn't see in the script a place that closes off the RDP
    > > > >
    > > > > port 3389
    > > > >
    > > > > > specifically, so I added the following two rules at the
    > >
    > > end of the
    > >
    > > > > > script.
    > > > > >
    > > > > > $IPCHAINS -A input -p tcp -s 64.232.168.34
    > >
    > > --source-port 3389 -d
    > >
    > > > > > 192.168.1.2 --destination-port 3389 -j ACCEPT
    > > > > >
    > > > > > I've also tried combinations of ports 0:65535, 3389 and
    > >
    > > there is
    > >
    > > > > > no difference. The logs show that the firewall is
    > >
    > > denying a return
    > >
    > > > > > of bits from the 64.232.168.34 IP on port 65535. I am
    > >
    > > contacting
    > >
    > > > > > the remote network, but it is blocked on my end from
    > >
    > > returning any
    > >
    > > > > > packets.
    > > > > >
    > > > > > When I run ipchains from the prompt, I see that port 3389
    > > > >
    > > > > is open to
    > > > >
    > > > > > 64.232.168.34, I don't seem to see anything that
    > >
    > > appears to deny
    > >
    > > > > > it afterwards.
    > > > > >
    > > > > > Frank
    > > > >
    > > > > Frank,
    > > > > Do you have input, forward and output chains for that port? (as I
    > > > > recall, ipchains needs all 3 to make the path thru the firewall)
    > > > >
    > > > > Your routers/gateways must be doing NAT on the outside
    > >
    > > (presuming an
    > >
    > > > > internet connection), so it is not a destination of
    > >
    > > 192.168.1.2 that
    > >
    > > > > the input chain
    > > > > needs to allow, it is destination 66.93.153.62
    > > >
    > > > I'll check on the other stuff. If I allow 66.93.153.62, how
    > >
    > > do I then
    > >
    > > > get packets to 192.168.1.2?
    > > >
    > > > Frank
    > >
    > > It's been a while since I used IPchains, but I beleive you
    > > want something
    > > like:
    > >
    > > $IPCHAINS -A input -p tcp -s 64.232.168.34 -sport 3389 -d
    > > 66.93.153.62 -dport
    > > 3389 -j REDIRECT 192.168.1.2
    > > $IPCHAINS -A forward -p tcp -d 192.168.1.2 -dport 3389 -j
    > > ACCEPT $IPCHAINS -A output -p tcp -d 192.168.1.2 -dport 3389 -j ACCEPT
    >
    > Here's what didn't generate error messages when I restarted the
    > firewall:
    >
    > $IPCHAINS -A input -p tcp -s 64.232.168.34 3389 -d 66.93.153.62 3389 -j
    > REDIR 192.168.1.2 3389
    > $IPCHAINS -A forward -p tcp -d 192.168.1.2 3389 -j ACCEPT
    > $IPCHAINS -A output -p tcp -d 192.168.1.2 3389 -j ACCEPT
    >
    > (RH barks at REDIRECT)
    >
    > And then this is what shows up in /var/log/messages:
    > May 2 19:35:25 mollynet kernel: Packet log: input DENY eth0 PROTO=47
    > 64.232.168.34:65535 66.93.153.62:65535 L=65 S=0x00 I=52375 F=0x0000 T=54
    > (#42)
    >
    > It's always port 65535. It occurs to me that the Microsoft RDP is not
    > only using port 3389. I think my connection request is received by the
    > remote machine and then answered, but the firewall isn't allowing the
    > return packets to be received on the local machine. I've tried a dozen
    > configurations of port openings, but I admit that I have no idea of what
    > would be correct, and, of course, none of them work.
     <snip>
    > Frank
    >

    Frank,
    Aside from this RDP service, can you confirm the firewall is correctly passing
    packets? Is the routing table correct to pass things back and forth?

    Are IP Masquerading & ICMP Masquerading both enabled in the kernel?

    Can you confirm the port exchanges for RDP (protocols and what the server uses
    as a source/destination when it responds?

    IPForwarding should also be enabled. To enable it add the following to
    /etc/rc.local or execute at command:
    echo "1" > /proc/sys/net/ipv4/ip_forward
    (if working 'cat /proc/sys/net/ipv4/ip_forward' will return "1")

    I remember ipchains had a rule testing command, there are also a number of
    options you may look at for ststus "ipchains -L forward" for example.

    What other error messages in the logs?

    One option, if windows has something like tcpdump, or else set the linux box
    as a router, not a firewall, and monitor a successful connection to see what
    ports are used. 

    -- 
Pete Nesbitt, rhce
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: Matthew Saltzman: "Re: Help Needed"

    Relevant Pages

    • Re: RDP over SSL question
      ... So after reading this article it sounds like as long as you are up on SP's ... RDP connections using SelfSSL to create the SSL certificate. ... RDP and TCP port 3389 so your firewall rules should not need to be ...
      (microsoft.public.windows.terminal_services)
    • Re: RDP Port access
      ... Opening port 3389 on the firewall allows *incoming* traffic on port ... The RDP client uses local TCP port X (random port number between 1024 ... When you establish a connection from inside a firewall to a Terminal ...
      (microsoft.public.win2000.termserv.clients)
    • Re: REMOTE DESKTOP NOT WORKING ANY LONGER PLEASE HELP!
      ... If the Vista machine is listening for incoming rdp traffic (on ... whatever port you configure), it sounds to me as a firewall issue. ...
      (microsoft.public.windows.terminal_services)
    • Re: RDP Probleme - kein Zugriff ???
      ... Bitte teste mal von einen PC oder anderen Server diesen Befehl, ... ist der Port in der Firewall geschlossen, ... RDP Port offen sein. ... muss mann nun die Firewall einstellung uebrpruefen. ...
      (microsoft.public.de.german.windows.server.active_directory)
    • not listening
      ... if I have a computer that is not listening to ANY port, ... Frank ...
      (comp.security.firewalls)