Solved

iptables restrict user from accessing server

Posted on 2011-03-06
5
757 Views
Last Modified: 2013-12-06
Hi all,

i have samba running on linux, and application called quickbooks.see the ports running on linux machine under codes.

under iptables i set following:

#enable samba sharing for Quickbooks
iptables -A INPUT -p UDP -s 0/0 --dport 137 -j okay
iptables -A INPUT -p UDP -s 0/0 --dport 138 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 139 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 445 -j okay

#Quickbook Ports
iptables -A INPUT -p TCP -s 0/0 --dport 55333:55347 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 56720 -j okay
iptables -A INPUT -p TCP -s 0/0 --dport 8019:8021 -j okay

user can access share files under under samba, but when i connect to quickbooks using quickbooks software, it wan't let me untill iptables disabled, i don't know if that is caused by samba or quickbooks port can you help?

thanks
[root@server~]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      3235/hpiod
tcp        0      0 0.0.0.0:10050               0.0.0.0:*                   LISTEN      5964/zabbix_agentd
tcp        0      0 0.0.0.0:55338               0.0.0.0:*                   LISTEN      16621/QBDBMgrN_20
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      3362/mysqld
tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2881/portmap
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      3576/beremote
tcp        0      0 0.0.0.0:8019                0.0.0.0:*                   LISTEN      16656/qbmonitord
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      3403/sendmail: acce
tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN      3534/smbd
tcp        0      0 0.0.0.0:989                 0.0.0.0:*                   LISTEN      2927/rpc.statd
tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      3240/python
tcp        0      0 :::55338                    :::*                        LISTEN      16621/QBDBMgrN_20
tcp        0      0 :::10000                    :::*                        LISTEN      3576/beremote
tcp        0      0 :::22                       :::*                        LISTEN      3258/sshd
udp        0      0 10.1.0.2:137               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:137                 0.0.0.0:*                               3537/nmbd
udp        0      0 10.1.0.2:138               0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:138                 0.0.0.0:*                               3537/nmbd
udp        0      0 0.0.0.0:45012               0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:983                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:986                 0.0.0.0:*                               2927/rpc.statd
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               3638/avahi-daemon:
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               2881/portmap
udp        0      0 :::47748                    :::*                                    3638/avahi-daemon:
udp        0      0 :::5353                     :::*                                    3638/avahi-daemon:

Open in new window

0
Comment
Question by:uknet80
5 Comments
 
LVL 31

Expert Comment

by:farzanj
ID: 35046874
Try this:

iptables -A INPUT -p tcp --dport SERVER_PORT_NUM -m state --state ESTABLISHED,RELATED -j ACCEPT
0
 
LVL 3

Accepted Solution

by:
nickswanjan earned 167 total points
ID: 35046934
When iptables is blocking packets, but you don't know what is being blocked, it helps to log all dropped packets so you can add a rule to allow the desired traffic.

1) Add the logging commands:

iptables -A INPUT -j LOGDROP
iptables -A LOGDROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-level 7
iptables -A LOGDROP -j DROP

2) Attempt to access the server with iptables running.

3) Use the dmesg command to view the results. At the bottom, you will see something like:

[IPTABLES DROP] : IN=eth0 OUT= (followed by address, port and protocol info)

4) Create a rule to allow the dropped traffic.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 167 total points
ID: 35047669
you have to make sure that writes are enabled on the share given quickbooks uses a file for a transaction log.

Add an explicit rule, as nickswanjan suggested at the end of your iptables and see which port iptables blocks when you are using quickbooks.
0
 
LVL 3

Assisted Solution

by:oppofwar
oppofwar earned 166 total points
ID: 35055455
Are you sure quicbook runs on tcp port only and doesnt utilize UDP ports

try the below lines and use iptables-save to save the rules

#Quickbook Ports
iptables -I INPUT -p udp -s 0/0 --dport 55333:55347 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 56720 -j ACCEPT
iptables -I INPUT -p udp -s 0/0 --dport 8019:8021 -j ACCEPT
0
 

Author Closing Comment

by:uknet80
ID: 35120029
thanks to all
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now