Re: iptables and Remote Desktop Connection problems

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Have you tried disabling the firewall to see if it works???

Also certain types of Remote Desktop software send GRE type packets that
can't be forwarded via NAT.

I hope some of this might help.

On Thu, 2004-10-28 at 21:05, Edward wrote:
> I'm sorry to ask a Windows based question, but I believe it is the Linux 
> iptables firewall that is causing the problem.
> 
> My brother and wife will be in Europe as of tomorrow, wanting to be able 
> to go to an internet cafe, and with no other requisites, take over a 
> Windows box on their local LAN.
> 
> Ofcourse they leave today, and asked me to set this up yesterday, so any 
> urgency is appreciated.
> 
> I'm running Fedora core 1 on the box with the firewall blocking anything 
> suspect I know of.
> 
> I've set up a no-ip address for their dynamic address. This part is 
> working fine.
> 
> I've set up Remote Desktop Connection via the web on the target (host) 
> PC, and this is also working flawlessly...INTERNALLY...
> 
> I hit the box with the URL (names changed to protect the immense 
> security risk I'm creating but my brother refuses to care about):
> 
> http://<dynamicaddress>.hopto.org:<port>/tsweb/
> 
> This works flawlessly internally. <dynamicaddress>.hopto.org resolves 
> correctly, and the box pops up in my browser.
> 
> However, externally it's another story. I get the RDC screen where you 
> put in the computer name and screen size, after it downloads the 
> required ActiveX control from the host box.
> 
> If I put in the computer name - it tells me it can't find that host on 
> the network.
> 
> If I try to put in the internal ip address, lets call it <internalip>, 
> it tells me the host is busy or a network problem.
> 
> According to ALL the docs I've read on how to set this up, all I need to 
> forward are ports 3389 and <port> which defaults to 80, but can be any 
> arbitrary number.
> 
> (I've tried with both 80 AND <port>, just to eliminate stupidity).
> 
> Here's my iptables script:
> 
> ---
> 
> #!/bin/sh
> #
> # rc.firewall-2.4
> FWVER=0.73
> #
> #               Initial SIMPLE IP Masquerade test for 2.4.x kernels
> #               using IPTABLES.
> #
> #               Once IP Masquerading has been tested, with this simple
> #               ruleset, it is highly recommended to use a stronger
> #               IPTABLES ruleset either given later in this HOWTO or
> #               from another reputable resource.
> #
> #
> #
> # Log:
> #       0.73 - REJECT is not a legal policy yet; back to DROP
> #       0.72 - Changed the default block behavior to REJECT not DROP
> #       0.71 - Added clarification that PPPoE users need to use
> #              "ppp0" instead of "eth0" for their external interface
> #       0.70 - Added commented option for IRC nat module
> #            - Added additional use of environment variables
> #            - Added additional formatting
> #       0.63 - Added support for the IRC IPTABLES module
> #       0.62 - Fixed a typo on the MASQ enable line that used eth0
> #              instead of $EXTIF
> #       0.61 - Changed the firewall to use variables for the internal
> #              and external interfaces.
> #       0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
> #              all forwarded packets but it didn't have a rule to ACCEPT
> #              any packets to be forwarded either
> #            - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
> #       0.50 - Initial draft
> #
> 
> echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
> 
> 
> 
> # The location of the iptables and kernel module programs
> #
> #   If your Linux distribution came with a copy of iptables,
> #   most likely all the programs will be located in /sbin.  If
> #   you manually compiled iptables, the default location will
> #   be in /usr/local/sbin
> #
> # ** Please use the "whereis iptables" command to figure out
> # ** where your copy is and change the path below to reflect
> # ** your setup
> #
> IPTABLES=/sbin/iptables
> #IPTABLES=/usr/local/sbin/iptables
> DEPMOD=/sbin/depmod
> INSMOD=/sbin/insmod
> FPMAIN=<internalip>
> RDPPORT=<port>
> 
> 
> #Setting the EXTERNAL and INTERNAL interfaces for the network
> #
> #  Each IP Masquerade network needs to have at least one
> #  external and one internal network.  The external network
> #  is where the natting will occur and the internal network
> #  should preferably be addressed with a RFC1918 private address
> #  scheme.
> #
> #  For this example, "eth0" is external and "eth1" is internal"
> #
> #
> #  NOTE:  If this doesnt EXACTLY fit your configuration, you must
> #         change the EXTIF or INTIF variables above. For example:
> #
> #            If you are a PPPoE or analog modem user:
> #
> #               EXTIF="ppp0"
> #
> #
> EXTIF="ppp0"
> INTIF="ath0"
> echo "   External Interface:  $EXTIF"
> echo "   Internal Interface:  $INTIF"
> 
> 
> #======================================================================
> #== No editing beyond this line is required for initial MASQ testing ==
> 
> 
> echo -en "   loading modules: "
> 
> # Need to verify that all modules have all required dependencies
> #
> echo "  - Verifying that all kernel modules are ok"
> $DEPMOD -a
> 
> # With the new IPTABLES code, the core MASQ functionality is now either
> # modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
> # options as MODULES.  If your kernel is compiled correctly, there is
> # NO need to load the kernel modules manually.
> #
> #  NOTE: The following items are listed ONLY for informational reasons.
> #        There is no reason to manual load these modules unless your
> #        kernel is either mis-configured or you intentionally disabled
> #        the kernel module autoloader.
> #
> 
> # Upon the commands of starting up IP Masq on the server, the
> # following kernel modules will be automatically loaded:
> #
> # NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ
> #        modules are shown below but are commented out from loading.
> # ===============================================================
> 
> echo 
> "----------------------------------------------------------------------"
> 
> #Load the main body of the IPTABLES module - "iptable"
> #  - Loaded automatically when the "iptables" command is invoked
> #
> #  - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_tables, "
> $INSMOD ip_tables
> 
> 
> #Load the IPTABLES filtering module - "iptable_filter"
> #  - Loaded automatically when filter policies are activated
> 
> 
> #Load the stateful connection tracking framework - "ip_conntrack"
> #
> # The conntrack  module in itself does nothing without other specific
> # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
> # module
> #
> #  - This module is loaded automatically when MASQ functionality is
> #    enabled
> #
> #  - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_conntrack, "
> $INSMOD ip_conntrack
> 
> 
> #Load the FTP tracking mechanism for full FTP tracking
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "ip_conntrack_ftp, "
> $INSMOD ip_conntrack_ftp
> 
> 
> #Load the IRC tracking mechanism for full IRC tracking
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "ip_conntrack_irc, "
> $INSMOD ip_conntrack_irc
> 
> 
> #Load the general IPTABLES NAT code - "iptable_nat"
> #  - Loaded automatically when MASQ functionality is turned on
> #
> #  - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "iptable_nat, "
> $INSMOD iptable_nat
> 
> 
> #Loads the FTP NAT functionality into the core IPTABLES code
> # Required to support non-PASV FTP.
> #
> # Enabled by default -- insert a "#" on the next line to deactivate
> #
> echo -en "ip_nat_ftp, "
> $INSMOD ip_nat_ftp
> 
> 
> #Loads the IRC NAT functionality into the core IPTABLES code
> # Require to support NAT of IRC DCC requests
> #
> # Disabled by default -- remove the "#" on the next line to activate
> #
> #echo -e "ip_nat_irc"
> #$INSMOD ip_nat_irc
> 
> echo 
> "----------------------------------------------------------------------"
> 
> # Just to be complete, here is a list of the remaining kernel modules
> # and their function.  Please note that several modules should be only
> # loaded by the correct master kernel module for proper operation.
> # --------------------------------------------------------------------
> #
> #    ipt_mark       - this target marks a given packet for future action.
> #                     This automatically loads the ipt_MARK module
> #
> #    ipt_tcpmss     - this target allows to manipulate the TCP MSS
> #                     option for braindead remote firewalls.
> #                     This automatically loads the ipt_TCPMSS module
> #
> #    ipt_limit      - this target allows for packets to be limited to
> #                     to many hits per sec/min/hr
> #
> #    ipt_multiport  - this match allows for targets within a range
> #                     of port numbers vs. listing each port individually
> #
> #    ipt_state      - this match allows to catch packets with various
> #                     IP and TCP flags set/unset
> #
> #    ipt_unclean    - this match allows to catch packets that have invalid
> #                     IP/TCP flags set
> #
> #    iptable_filter - this module allows for packets to be DROPped,
> #                     REJECTed, or LOGged.  This module automatically
> #                     loads the following modules:
> #
> #                     ipt_LOG - this target allows for packets to be
> #                               logged
> #
> #                     ipt_REJECT - this target DROPs the packet and returns
> #                                  a configurable ICMP packet back to the
> #                                  sender.
> #
> #    iptable_mangle - this target allows for packets to be manipulated
> #                     for things like the TCPMSS option, etc.
> 
> echo -e "   Done loading modules.\n"
> 
> 
> 
> #CRITICAL:  Enable IP forwarding since it is disabled by default since
> #
> #           Redhat Users:  you may try changing the options in
> #                          /etc/sysconfig/network from:
> #
> #                       FORWARD_IPV4=false
> #                             to
> #                       FORWARD_IPV4=true
> #
> echo "   Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> 
> # Dynamic IP users:
> #
> #   If you get your IP address dynamically from SLIP, PPP, or DHCP,
> #   enable this following option.  This enables dynamic-address hacking
> #   which makes the life with Diald and similar programs much easier.
> #
> echo "   Enabling DynamicAddr.."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> 
> 
> # Enable simple IP forwarding and Masquerading
> #
> #  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
> #
> #  NOTE #2:  The following is an example for an internal LAN address in the
> #            192.168.0.x network with a 255.255.255.0 or a "24" bit 
> subnet mask
> #            connecting to the Internet on external interface "eth0".  This
> #            example will MASQ internal traffic out to the Internet but not
> #            allow non-initiated traffic into your internal network.
> #
> #
> #         ** Please change the above network numbers, subnet mask, and your
> #         *** Internet connection interface name to match your setup
> #
> 
> 
> #Clearing any previous configuration
> #
> #  Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
> #    The default for FORWARD is DROP (REJECT is not a valid policy)
> #
> 
> LSMOD=/sbin/lsmod
> DEPMOD=/sbin/depmod
> INSMOD=/sbin/insmod
> GREP=/bin/grep
> AWK=/bin/awk
> SED=/bin/sed
> IFCONFIG=/sbin/ifconfig
> EXTIP="`$IFCONFIG $EXTIF | $AWK \
>   /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
> echo " I think the external IP is: " $EXTIP
> 
> echo "   Clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> 
> echo "   FWD: Allow all connections OUT and only existing and related 
> ones IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> 
> #Added for RDP
> echo "Setting up FPMain for Remote Desktop Connection"
> $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $FPMAIN --dport 3389 
> -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d $FPMAIN --dport 
> $RDPPORT -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 
> 1024:65535 --dport 3889 -j DNAT --to $FPMAIN:3389
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --sport 
> 1024:65535 --dport $RDPPORT -j DNAT --to $FPMAIN:$RDPPORT
> 
> echo "	Dropping NetBIOS Requests from outside"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 137:139 -j DROP
> $IPTABLES -A INPUT -i $EXTIF -p udp --dport 137:139 -j DROP
> 
> echo "	Dropping ICMP from outside"
> $IPTABLES -A INPUT -i $EXTIF -p icmp -j DROP
> $IPTABLES -A FORWARD -j LOG
> 
> echo "	Dropping SSH from outside"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j DROP
> 
> echo "	Dropping outside SMTP"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j DROP
> 
> echo "	Dropping outside POP"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j DROP
> 
> echo "	Dropping outside Ident"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j DROP
> 
> echo "	Dropping outside Remote Grab"
> $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 7000 -j DROP
> 
> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> 
> 
> echo -e "\nDone.\n"
> 
> ---
> 
> I've used the same sort of "forwarding" idea on another server to send 
> emule packets to my Windows box and that works.
> 
> I'm using the same syntax here to forward 3398 and <port> to 
> <internalip> internally. (I think).
> 
> Any idea what could be wrong?
> 
> Oh, and obviously <dynamicaddress>, <internalip>, and <port> are real 
> values, I've just hidden them here because I'm anal about security.
> 
> Regards,
> Ed.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux