Nickbuds
asked on
Remote Desktop to WinXP Pro through Debian Linux firewall
Hi ya'll, got a toughie for yaz:
I am sitting at home trying to connect to a winxp machine inside my company network (in another city) but it doesn't work obviously because the traffic to port 3389 is stopped at our Linux Debian firewall. Anybody know how to configure the firewall to let traffic to 3389 through?
I tried this:
/home/me# iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 3389 -j ACCEPT
then i restarted the linux machine and tried to connect but still get a "not able to connect"
I know that there is nothing wrong with the Remote Desktop setup because i can connect from another machine inside the company network.
Which logs on linux should i check to see what is happening?
How do i configure the firewall properly?
I am sitting at home trying to connect to a winxp machine inside my company network (in another city) but it doesn't work obviously because the traffic to port 3389 is stopped at our Linux Debian firewall. Anybody know how to configure the firewall to let traffic to 3389 through?
I tried this:
/home/me# iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 3389 -j ACCEPT
then i restarted the linux machine and tried to connect but still get a "not able to connect"
I know that there is nothing wrong with the Remote Desktop setup because i can connect from another machine inside the company network.
Which logs on linux should i check to see what is happening?
How do i configure the firewall properly?
ASKER
I also know that the router between our network and the internet is letting 3389 traffic through because of the above info...there wouldn't be those lines in my linux log if nothing had gotten through the router to linux (or am i wrong?).
Does the firewall have a web interface? try connecting to your firewall via the web. typically it will use a non standard port such as 81 or 441 (for ssl)
ASKER
the router firewall? why? i can access it through telnet. it is configured properly. the traffic is stopping at the linux firewall behind the router.
ASKER
maybe the problem is that i am not forwarding the port traffic, i am just accepting it...that seriously is probably the problem...now i just need to know what the proper syntax is for debian iptables forwarding
ASKER
the linux box has 2 interfaces:
10.0.0.4 (facing the router to the internet)
192.168.0.29 (facing inwards to the intranet)
i have now got this lines in my /etc/network/if-up.d/firew all.sh file:
# Prerouting chain
$IPT -t nat -A PREROUTING -i $INET_FACE --protocol tcp --sport 1: --dport 3389 -j DNAT --to 192.168.0.48:3389
but when i run the firewall script i get the following error:
Loading kernel modules ...
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filte r = 1
net.ipv4.icmp_echo_ignore_ broadcasts = 1
net.ipv4.conf.all.accept_s ource_rout e = 0
net.ipv4.conf.all.secure_r edirects = 1
net.ipv4.conf.all.log_mart ians = 1
Flushing Tables ...
Create and populate custom rule chains ...
Process INPUT chain ...
Process FORWARD chain ...
Process OUTPUT chain ...
Load rules for nat table ...
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Load rules for mangle table ...
the 'tcp' it is referring to is in the line above, my prerouting chain. as far as i can see the syntax is correct..
10.0.0.4 (facing the router to the internet)
192.168.0.29 (facing inwards to the intranet)
i have now got this lines in my /etc/network/if-up.d/firew
# Prerouting chain
$IPT -t nat -A PREROUTING -i $INET_FACE --protocol tcp --sport 1: --dport 3389 -j DNAT --to 192.168.0.48:3389
but when i run the firewall script i get the following error:
Loading kernel modules ...
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filte
net.ipv4.icmp_echo_ignore_
net.ipv4.conf.all.accept_s
net.ipv4.conf.all.secure_r
net.ipv4.conf.all.log_mart
Flushing Tables ...
Create and populate custom rule chains ...
Process INPUT chain ...
Process FORWARD chain ...
Process OUTPUT chain ...
Load rules for nat table ...
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Load rules for mangle table ...
the 'tcp' it is referring to is in the line above, my prerouting chain. as far as i can see the syntax is correct..
ASKER
administrators: should this be reposted in the linux area, no networking experts seem to be helping/know what to do...?
Yes the problem does seem to be port forwarding. I made the comment about the web interface becasue if it is available, it may be easier for you to find the required configuration options such as portforwarding.
ASKER
i found out how to do it myself: (this is in norwegian)
http://www.websynergy.no/diskusjonsforum/topic.asp?TOPIC_ID=503&SearchTerms=port,forwarding
the problem was that i was operating with the wrong firewall, the one that gets loaded when /etc/init.d/networking starts up is /etc/openvpn/firewall.sh
put this in the forward chain:
# rdesktop
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 3389 -j ACCEPT
and this in the prerouting chain:
# rdesktop
$IPT -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to IP-of-machine-running-remo te-desktop -server
after this i stopped and restarted the firewall:
sh /etc/openvpn/firewall.sh stop
sh /etc/openvpn/firewall.sh start
BOOYEAH!
http://www.websynergy.no/diskusjonsforum/topic.asp?TOPIC_ID=503&SearchTerms=port,forwarding
the problem was that i was operating with the wrong firewall, the one that gets loaded when /etc/init.d/networking starts up is /etc/openvpn/firewall.sh
put this in the forward chain:
# rdesktop
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 3389 -j ACCEPT
and this in the prerouting chain:
# rdesktop
$IPT -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to IP-of-machine-running-remo
after this i stopped and restarted the firewall:
sh /etc/openvpn/firewall.sh stop
sh /etc/openvpn/firewall.sh start
BOOYEAH!
I think the Nickbuds request to receive his expert points for himself is valid. I feel the points should go toward whoever answers the question regardless of their specific status. that is assuming it's a legitimate question. Safeguards should be in place to prevent someone from posting and answering their own question just to receive points though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nov 10 18:09:56 localhost kernel: INPUT packet died: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:x
REC=0x00 TTL=109 ID=46768 DF PROTO=TCP SPT=65466 DPT=3389 WINDOW=16384 RES=0x00
SYN URGP=0
Nov 10 18:09:59 localhost kernel: INPUT packet died: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:x
REC=0x00 TTL=109 ID=46769 DF PROTO=TCP SPT=65466 DPT=3389 WINDOW=16384 RES=0x00
SYN URGP=0