Solved

iptables restrict user from accessing server

Posted on 2011-03-06
5
776 Views
Last Modified: 2013-12-06
Hi all,

i have samba running on linux, and application called quickbooks.see the ports running on linux machine under codes.

under iptables i set following:

#enable samba sharing for Quickbooks
iptables -A INPUT -p UDP -s 0/0 --dport 137 -j okay
iptables -A INPUT -p UDP -s 0/0 --dport 138 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 139 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 445 -j okay

#Quickbook Ports
iptables -A INPUT -p TCP -s 0/0 --dport 55333:55347 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 56720 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 8019:8021 -j okay

user can access share files under under samba, but when i connect to quickbooks using quickbooks software, it wan't let me untill iptables disabled, i don't know if that is caused by samba or quickbooks port can you help?

thanks
[root@server~]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      3235/hpiod
tcp        0      0 0.0.0.0:10050               0.0.0.0:*                   LISTEN      5964/zabbix_agentd
tcp        0      0 0.0.0.0:55338               0.0.0.0:*                   LISTEN      16621/QBDBMgrN_20
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      3362/mysqld
tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2881/portmap
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      3576/beremote
tcp        0      0 0.0.0.0:8019                0.0.0.0:*                   LISTEN      16656/qbmonitord
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      3403/sendmail: acce
tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:989                 0.0.0.0:*                   LISTEN      2927/rpc.statd
tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      3240/python
tcp        0      0 :::55338                    :::*                        LISTEN      16621/QBDBMgrN_20
tcp        0      0 :::10000                    :::*                        LISTEN      3576/beremote
tcp        0      0 :::22                       :::*                        LISTEN      3258/sshd
udp        0      0 10.1.0.2:137               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:137                 0.0.0.0:*                               3537/nmbd
udp        0      0 10.1.0.2:138               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:138                 0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:45012               0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:983                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:986                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               2881/portmap
udp        0      0 :::47748                    :::*                                    3638/avahi-daemon:
udp        0      0 :::5353                     :::*                                    3638/avahi-daemon:

Open in new window

0
Comment
Question by:uknet80
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 35046874
Try this:

iptables -A INPUT -p tcp --dport SERVER_PORT_NUM -m state --state ESTABLISHED,RELATED -j ACCEPT
0
 
LVL 3

Accepted Solution

by:
nickswanjan earned 167 total points
ID: 35046934
When iptables is blocking packets, but you don't know what is being blocked, it helps to log all dropped packets so you can add a rule to allow the desired traffic.

1) Add the logging commands:

iptables -A INPUT -j LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-level 7
iptables -A LOGDROP -j DROP

2) Attempt to access the server with iptables running.

3) Use the dmesg command to view the results. At the bottom, you will see something like:

[IPTABLES DROP] : IN=eth0 OUT= (followed by address, port and protocol info)

4) Create a rule to allow the dropped traffic.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 167 total points
ID: 35047669
you have to make sure that writes are enabled on the share given quickbooks uses a file for a transaction log.

Add an explicit rule, as nickswanjan suggested at the end of your iptables and see which port iptables blocks when you are using quickbooks.
0
 
LVL 3

Assisted Solution

by:oppofwar
oppofwar earned 166 total points
ID: 35055455
Are you sure quicbook runs on tcp port only and doesnt utilize UDP ports

try the below lines and use iptables-save to save the rules

#Quickbook Ports
iptables -I INPUT -p udp -s 0/0 --dport 55333:55347 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 56720 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 8019:8021 -j ACCEPT
0
 

Author Closing Comment

by:uknet80
ID: 35120029
thanks to all
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question