• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 424
  • Last Modified:

Remote Desktop to WinXP Pro through Debian Linux firewall

Hi ya'll, got a toughie for yaz:
I am sitting at home trying to connect to a winxp machine inside my company network (in another city) but it doesn't work obviously because the traffic to port 3389 is stopped at our Linux Debian firewall. Anybody know how to configure the firewall to let traffic to 3389 through?
I tried this:
/home/me# iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 3389 -j ACCEPT

then i restarted the linux machine and tried to connect but still get a "not able to connect"
I know that there is nothing wrong with the Remote Desktop setup because i can connect from another machine inside the company network.

Which logs on linux should i check to see what is happening?
How do i configure the firewall properly?
0
Nickbuds
Asked:
Nickbuds
  • 7
  • 3
1 Solution
 
NickbudsAuthor Commented:
Heres som data from my syslog:

Nov 10 18:09:56 localhost kernel: INPUT packet died: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=82.xxx.xx.xxx DST=10.0.0.4 LEN=48 TOS=0x00 P
REC=0x00 TTL=109 ID=46768 DF PROTO=TCP SPT=65466 DPT=3389 WINDOW=16384 RES=0x00
SYN URGP=0

Nov 10 18:09:59 localhost kernel: INPUT packet died: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=82.xxx.xx.xxx DST=10.0.0.4 LEN=48 TOS=0x00 P
REC=0x00 TTL=109 ID=46769 DF PROTO=TCP SPT=65466 DPT=3389 WINDOW=16384 RES=0x00
SYN URGP=0
0
 
NickbudsAuthor Commented:
I also know that the router between our network and the internet is letting 3389 traffic through because of the above info...there wouldn't be those lines in my linux log if nothing had gotten through the router to linux (or am i wrong?).
0
 
wjc7662Commented:
Does the firewall have a web interface?  try connecting to your firewall via the web.  typically it will use a non standard port such as 81  or  441 (for ssl)
0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
NickbudsAuthor Commented:
the router firewall? why? i can access it through telnet. it is configured properly. the traffic is stopping at the linux firewall behind the router.
0
 
NickbudsAuthor Commented:
maybe the problem is that i am not forwarding the port traffic, i am just accepting it...that seriously is probably the problem...now i just need to know what the proper syntax is for debian iptables forwarding
0
 
NickbudsAuthor Commented:
the linux box has 2 interfaces:
10.0.0.4 (facing the router to the internet)
192.168.0.29 (facing inwards to the intranet)
i have now got this lines in my /etc/network/if-up.d/firewall.sh file:
# Prerouting chain
$IPT -t nat -A PREROUTING -i $INET_FACE --protocol tcp --sport 1: --dport 3389 -j DNAT --to 192.168.0.48:3389

but when i run the firewall script i get the following error:
Loading kernel modules ...
net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
Create and populate custom rule chains ...
Process INPUT chain ...
Process FORWARD chain ...
Process OUTPUT chain ...
Load rules for nat table ...
Bad argument `tcp'
Try `iptables -h' or 'iptables --help' for more information.
Load rules for mangle table ...

the 'tcp' it is referring to is in the line above, my prerouting chain. as far as i can see the syntax is correct..
0
 
NickbudsAuthor Commented:
administrators: should this be reposted in the linux area, no networking experts seem to be helping/know what to do...?
0
 
wjc7662Commented:
Yes the problem does seem to be port forwarding.  I made the comment about the web interface becasue if it is available, it may be easier for you to find the required configuration options such as portforwarding.
0
 
NickbudsAuthor Commented:
i found out how to do it myself: (this is in norwegian)
http://www.websynergy.no/diskusjonsforum/topic.asp?TOPIC_ID=503&SearchTerms=port,forwarding

the problem was that i was operating with the wrong firewall, the one that gets loaded when /etc/init.d/networking starts up is /etc/openvpn/firewall.sh

put this in the forward chain:
# rdesktop
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 3389 -j ACCEPT

and this in the prerouting chain:
# rdesktop
$IPT -t nat -A PREROUTING -p tcp --dport 3389 -j DNAT --to IP-of-machine-running-remote-desktop-server

after this i stopped and restarted the firewall:
sh /etc/openvpn/firewall.sh stop
sh /etc/openvpn/firewall.sh start

BOOYEAH!
0
 
wjc7662Commented:
I think the Nickbuds request to receive his expert points for himself is valid.  I feel the points should go toward whoever answers the question regardless of their specific status.  that is assuming it's a legitimate question.  Safeguards should be in place to prevent someone from posting and answering their own question just to receive points though.
0
 
CetusMODCommented:
Closed, 500 points refunded.
CetusMOD
Community Support Moderator
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now