[redhat] Re: Remote Desktop/Firewall
Pete Nesbitt
pete at linux1.ca
Wed Apr 28 03:37:03 UTC 2004
On April 27, 2004 07:46 pm, Frank Reichenbacher wrote:
> > -----Original Message-----
> > From: redhat-list-bounces at redhat.com
> > [mailto:redhat-list-bounces at redhat.com] On Behalf Of Pete Nesbitt
> > Sent: Tuesday, April 27, 2004 6:35 PM
> > To: frank at bio-con.com; General Red Hat Linux discussion list
> > Subject: [redhat] Re: Remote Desktop/Firewall
> >
> > On April 27, 2004 06:06 pm, Frank Reichenbacher wrote:
> > > I have pmfirewall (www.pointman.org) running on my RH 7.0
> >
> > server/LAN
> >
> > > Router on a home office setup. It is a simple but effective
> >
> > ipchains
> >
> > > firewall script.
> > >
> > > I need to use my WinXP desktop on the inside of the home
> >
> > firewall to
> >
> > > communicate with my office WinXP, which is inside a
> >
> > firewalled router
> >
> > > on a Win2K LAN. The home side outernet IP is 66.93.153.62,
> >
> > innernet IP
> >
> > > 192.168.1.2. The office side outernet IP is 64.232.168.34, the
> > > innernet IP is 192.168.1.103.
> > >
> > > I didn't see in the script a place that closes off the RDP
> >
> > port 3389
> >
> > > specifically, so I added the following two rules at the end of the
> > > script.
> > >
> > > $IPCHAINS -A input -p tcp -s 64.232.168.34 --source-port 3389 -d
> > > 192.168.1.2 --destination-port 3389 -j ACCEPT
> > >
> > > I've also tried combinations of ports 0:65535, 3389 and there is no
> > > difference. The logs show that the firewall is denying a return of
> > > bits from the 64.232.168.34 IP on port 65535. I am contacting the
> > > remote network, but it is blocked on my end from returning any
> > > packets.
> > >
> > > When I run ipchains from the prompt, I see that port 3389
> >
> > is open to
> >
> > > 64.232.168.34, I don't seem to see anything that appears to deny it
> > > afterwards.
> > >
> > > Frank
> >
> > Frank,
> > Do you have input, forward and output chains for that port?
> > (as I recall,
> > ipchains needs all 3 to make the path thru the firewall)
> >
> > Your routers/gateways must be doing NAT on the outside
> > (presuming an internet
> > connection), so it is not a destination of 192.168.1.2 that
> > the input chain
> > needs to allow, it is destination 66.93.153.62
>
> I'll check on the other stuff. If I allow 66.93.153.62, how do I then
> get packets to 192.168.1.2?
>
> Frank
It's been a while since I used IPchains, but I beleive you want something
like:
$IPCHAINS -A input -p tcp -s 64.232.168.34 -sport 3389 -d 66.93.153.62 -dport
3389 -j REDIRECT 192.168.1.2
$IPCHAINS -A forward -p tcp -d 192.168.1.2 -dport 3389 -j ACCEPT
$IPCHAINS -A output -p tcp -d 192.168.1.2 -dport 3389 -j ACCEPT
You should have a look at:
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/IPCHAINS-HOWTO.html
--
Pete Nesbitt, rhce
More information about the redhat-list
mailing list