Re: Newbie help!! NFS/CUPS/Iptables
From: Tim (admin_at_sheerhell.lan)
Date: 09/26/03
- Previous message: check: "Core Architecture - Linux Vs Windows"
- Next in thread: Allen McIntosh: "Re: Newbie help!! NFS/CUPS/Iptables"
- Maybe reply: Allen McIntosh: "Re: Newbie help!! NFS/CUPS/Iptables"
- Maybe reply: Allen McIntosh: "Re: Newbie help!! NFS/CUPS/Iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 27 Sep 2003 03:22:37 +0930
On Fri, 26 Sep 2003 18:11:37 +0200,
"Lady-M" <sorry-no-email@newsgroups.com> wrote:
> I even managed to get NFS working... but only when I de-activated Iptables.
> But I would like to have a firewall up and running with full powers.
>
> Besides from NFS, I discovered that I need to install my printer to the
> server (CUPS protocol) and guess what, it's being blocked by... Iptables...
>
> I have been searching for solutions with Google (what would I do without
> it?) but can't seem to find something that's helpful to me. Perhaps because
> (almost) everything is in English and I'm Dutch...
>
> So, heeeeeeeeeeeeeeeeeeeeeelp.....
>
> What I did find was how to block NFS and CUPS:
> ----------------------------------------------------
> iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
> iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
> iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
> iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
> iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
> iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
>
> ----------------------------------------------------
>
> But I don't have any clues to
> a) what it means (no help from any source)
Try searching through "The Linux Documentation Project."
> b) how to convert it to "accept"...
Change "DROP" to "ACCEPT." But you'll want to tailor your filters to
block internet access, while allowing LAN access. It's probably more
understandable with unabbreviated rules.
e.g. Assuming that eth0 was the internet and eth1 was the LAN
(substitute the correct interfaces, and create the other rules, to suit
your own system).
# iptables --append INPUT --protocol tcp --in-interface eth0 --destination-port 515 --jump DROP
# iptables --append INPUT --protocol tcp --in-interface eth1 --destination-port 515 --jump ALLOW
(Those are two long command lines, written after a hash mark. Don't
type the hash, and make sure that what's one line here, is entered as
one line on your system - when you do the same sort of thing.)
Your original example has -s 0/0 and -d 0/0 meaning "any" source or
destination address. They're redundant. If you want to tighten those
rules, to prevent address spoofing (e.g. denying outside connection
attempts using internal addresses, and vice versa), you could do that
there, or have a more global rule for everything. It's kind of
redundant, if you're already disallowing *all* outside connection to
that service, but you may have more relaxed rules elswhere.
e.g. If your internal network was 192.168.0.xxx then rules like the
following would guard against address spoofing:
# iptables --append INPUT --jump DROP --in-interface eth0 --source 192.168.0.0/16
# iptables --append INPUT --jump DROP --in-interface eth1 \! --source 192.168.0.1/16
(The first rule drops external connections with faked internal source
addresses, the second one drops internal connections that don't have
internal source addresses. Same as before, regarding two long command
lines, and the hash marks.)
> in order to get as much help as possible, this was posted in 3
> newsgroups. If that's not allowed, I do apologise!
Cross posting will get you ignored by the older and wiser users
(especially if you post to a lot of groups and don't set a followup-to
header to point all replies to the one group), who're more likely to
have the answers that you want, and annoy people who don't have access
to the other groups, who have to adjust their replies to remove the
other groups before they can post.
I've killed the cross posts (in my reply), because I can't post to
groups not available to me.
-- My "from" address is totally fake. (Hint: If I wanted e-mails from complete strangers, I'd have put a real one, there.) Reply to usenet postings in the same place as you read the message you're replying to.
- Previous message: check: "Core Architecture - Linux Vs Windows"
- Next in thread: Allen McIntosh: "Re: Newbie help!! NFS/CUPS/Iptables"
- Maybe reply: Allen McIntosh: "Re: Newbie help!! NFS/CUPS/Iptables"
- Maybe reply: Allen McIntosh: "Re: Newbie help!! NFS/CUPS/Iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
