Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

iptables restrict user from accessing server

Posted on 2011-03-06
5
Medium Priority
?
777 Views
Last Modified: 2013-12-06
Hi all,

i have samba running on linux, and application called quickbooks.see the ports running on linux machine under codes.

under iptables i set following:

#enable samba sharing for Quickbooks
iptables -A INPUT -p UDP -s 0/0 --dport 137 -j okay
iptables -A INPUT -p UDP -s 0/0 --dport 138 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 139 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 445 -j okay

#Quickbook Ports
iptables -A INPUT -p TCP -s 0/0 --dport 55333:55347 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 56720 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 8019:8021 -j okay

user can access share files under under samba, but when i connect to quickbooks using quickbooks software, it wan't let me untill iptables disabled, i don't know if that is caused by samba or quickbooks port can you help?

thanks
[root@server~]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      3235/hpiod
tcp        0      0 0.0.0.0:10050               0.0.0.0:*                   LISTEN      5964/zabbix_agentd
tcp        0      0 0.0.0.0:55338               0.0.0.0:*                   LISTEN      16621/QBDBMgrN_20
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      3362/mysqld
tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2881/portmap
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      3576/beremote
tcp        0      0 0.0.0.0:8019                0.0.0.0:*                   LISTEN      16656/qbmonitord
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      3403/sendmail: acce
tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:989                 0.0.0.0:*                   LISTEN      2927/rpc.statd
tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      3240/python
tcp        0      0 :::55338                    :::*                        LISTEN      16621/QBDBMgrN_20
tcp        0      0 :::10000                    :::*                        LISTEN      3576/beremote
tcp        0      0 :::22                       :::*                        LISTEN      3258/sshd
udp        0      0 10.1.0.2:137               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:137                 0.0.0.0:*                               3537/nmbd
udp        0      0 10.1.0.2:138               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:138                 0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:45012               0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:983                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:986                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               2881/portmap
udp        0      0 :::47748                    :::*                                    3638/avahi-daemon:
udp        0      0 :::5353                     :::*                                    3638/avahi-daemon:

Open in new window

0
Comment
Question by:uknet80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 35046874
Try this:

iptables -A INPUT -p tcp --dport SERVER_PORT_NUM -m state --state ESTABLISHED,RELATED -j ACCEPT
0
 
LVL 3

Accepted Solution

by:
nickswanjan earned 668 total points
ID: 35046934
When iptables is blocking packets, but you don't know what is being blocked, it helps to log all dropped packets so you can add a rule to allow the desired traffic.

1) Add the logging commands:

iptables -A INPUT -j LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-level 7
iptables -A LOGDROP -j DROP

2) Attempt to access the server with iptables running.

3) Use the dmesg command to view the results. At the bottom, you will see something like:

[IPTABLES DROP] : IN=eth0 OUT= (followed by address, port and protocol info)

4) Create a rule to allow the dropped traffic.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 668 total points
ID: 35047669
you have to make sure that writes are enabled on the share given quickbooks uses a file for a transaction log.

Add an explicit rule, as nickswanjan suggested at the end of your iptables and see which port iptables blocks when you are using quickbooks.
0
 
LVL 3

Assisted Solution

by:oppofwar
oppofwar earned 664 total points
ID: 35055455
Are you sure quicbook runs on tcp port only and doesnt utilize UDP ports

try the below lines and use iptables-save to save the rules

#Quickbook Ports
iptables -I INPUT -p udp -s 0/0 --dport 55333:55347 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 56720 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 8019:8021 -j ACCEPT
0
 

Author Closing Comment

by:uknet80
ID: 35120029
thanks to all
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question