Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 782
  • Last Modified:

iptables restrict user from accessing server

Hi all,

i have samba running on linux, and application called quickbooks.see the ports running on linux machine under codes.

under iptables i set following:

#enable samba sharing for Quickbooks
iptables -A INPUT -p UDP -s 0/0 --dport 137 -j okay
iptables -A INPUT -p UDP -s 0/0 --dport 138 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 139 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 445 -j okay

#Quickbook Ports
iptables -A INPUT -p TCP -s 0/0 --dport 55333:55347 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 56720 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 8019:8021 -j okay

user can access share files under under samba, but when i connect to quickbooks using quickbooks software, it wan't let me untill iptables disabled, i don't know if that is caused by samba or quickbooks port can you help?

thanks
[root@server~]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      3235/hpiod
tcp        0      0 0.0.0.0:10050               0.0.0.0:*                   LISTEN      5964/zabbix_agentd
tcp        0      0 0.0.0.0:55338               0.0.0.0:*                   LISTEN      16621/QBDBMgrN_20
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      3362/mysqld
tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2881/portmap
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      3576/beremote
tcp        0      0 0.0.0.0:8019                0.0.0.0:*                   LISTEN      16656/qbmonitord
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      3403/sendmail: acce
tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:989                 0.0.0.0:*                   LISTEN      2927/rpc.statd
tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      3240/python
tcp        0      0 :::55338                    :::*                        LISTEN      16621/QBDBMgrN_20
tcp        0      0 :::10000                    :::*                        LISTEN      3576/beremote
tcp        0      0 :::22                       :::*                        LISTEN      3258/sshd
udp        0      0 10.1.0.2:137               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:137                 0.0.0.0:*                               3537/nmbd
udp        0      0 10.1.0.2:138               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:138                 0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:45012               0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:983                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:986                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               2881/portmap
udp        0      0 :::47748                    :::*                                    3638/avahi-daemon:
udp        0      0 :::5353                     :::*                                    3638/avahi-daemon:

Open in new window

0
uknet80
Asked:
uknet80
3 Solutions
 
farzanjCommented:
Try this:

iptables -A INPUT -p tcp --dport SERVER_PORT_NUM -m state --state ESTABLISHED,RELATED -j ACCEPT
0
 
nickswanjanCommented:
When iptables is blocking packets, but you don't know what is being blocked, it helps to log all dropped packets so you can add a rule to allow the desired traffic.

1) Add the logging commands:

iptables -A INPUT -j LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-level 7
iptables -A LOGDROP -j DROP

2) Attempt to access the server with iptables running.

3) Use the dmesg command to view the results. At the bottom, you will see something like:

[IPTABLES DROP] : IN=eth0 OUT= (followed by address, port and protocol info)

4) Create a rule to allow the dropped traffic.
0
 
arnoldCommented:
you have to make sure that writes are enabled on the share given quickbooks uses a file for a transaction log.

Add an explicit rule, as nickswanjan suggested at the end of your iptables and see which port iptables blocks when you are using quickbooks.
0
 
oppofwarCommented:
Are you sure quicbook runs on tcp port only and doesnt utilize UDP ports

try the below lines and use iptables-save to save the rules

#Quickbook Ports
iptables -I INPUT -p udp -s 0/0 --dport 55333:55347 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 56720 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 8019:8021 -j ACCEPT
0
 
uknet80Author Commented:
thanks to all
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now