Solved

iptables restrict user from accessing server

Posted on 2011-03-06
5
759 Views
Last Modified: 2013-12-06
Hi all,

i have samba running on linux, and application called quickbooks.see the ports running on linux machine under codes.

under iptables i set following:

#enable samba sharing for Quickbooks
iptables -A INPUT -p UDP -s 0/0 --dport 137 -j okay
iptables -A INPUT -p UDP -s 0/0 --dport 138 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 139 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 445 -j okay

#Quickbook Ports
iptables -A INPUT -p TCP -s 0/0 --dport 55333:55347 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 56720 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 8019:8021 -j okay

user can access share files under under samba, but when i connect to quickbooks using quickbooks software, it wan't let me untill iptables disabled, i don't know if that is caused by samba or quickbooks port can you help?

thanks
[root@server~]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      3235/hpiod
tcp        0      0 0.0.0.0:10050               0.0.0.0:*                   LISTEN      5964/zabbix_agentd
tcp        0      0 0.0.0.0:55338               0.0.0.0:*                   LISTEN      16621/QBDBMgrN_20
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      3362/mysqld
tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2881/portmap
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      3576/beremote
tcp        0      0 0.0.0.0:8019                0.0.0.0:*                   LISTEN      16656/qbmonitord
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      3403/sendmail: acce
tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:989                 0.0.0.0:*                   LISTEN      2927/rpc.statd
tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      3240/python
tcp        0      0 :::55338                    :::*                        LISTEN      16621/QBDBMgrN_20
tcp        0      0 :::10000                    :::*                        LISTEN      3576/beremote
tcp        0      0 :::22                       :::*                        LISTEN      3258/sshd
udp        0      0 10.1.0.2:137               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:137                 0.0.0.0:*                               3537/nmbd
udp        0      0 10.1.0.2:138               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:138                 0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:45012               0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:983                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:986                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               2881/portmap
udp        0      0 :::47748                    :::*                                    3638/avahi-daemon:
udp        0      0 :::5353                     :::*                                    3638/avahi-daemon:

Open in new window

0
Comment
Question by:uknet80
5 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 35046874
Try this:

iptables -A INPUT -p tcp --dport SERVER_PORT_NUM -m state --state ESTABLISHED,RELATED -j ACCEPT
0
 
LVL 3

Accepted Solution

by:
nickswanjan earned 167 total points
ID: 35046934
When iptables is blocking packets, but you don't know what is being blocked, it helps to log all dropped packets so you can add a rule to allow the desired traffic.

1) Add the logging commands:

iptables -A INPUT -j LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-level 7
iptables -A LOGDROP -j DROP

2) Attempt to access the server with iptables running.

3) Use the dmesg command to view the results. At the bottom, you will see something like:

[IPTABLES DROP] : IN=eth0 OUT= (followed by address, port and protocol info)

4) Create a rule to allow the dropped traffic.
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 167 total points
ID: 35047669
you have to make sure that writes are enabled on the share given quickbooks uses a file for a transaction log.

Add an explicit rule, as nickswanjan suggested at the end of your iptables and see which port iptables blocks when you are using quickbooks.
0
 
LVL 3

Assisted Solution

by:oppofwar
oppofwar earned 166 total points
ID: 35055455
Are you sure quicbook runs on tcp port only and doesnt utilize UDP ports

try the below lines and use iptables-save to save the rules

#Quickbook Ports
iptables -I INPUT -p udp -s 0/0 --dport 55333:55347 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 56720 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 8019:8021 -j ACCEPT
0
 

Author Closing Comment

by:uknet80
ID: 35120029
thanks to all
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

4 Experts available now in Live!

Get 1:1 Help Now