PDA

View Full Version : Forward Service 3389/7000



fabianmk
07-Aug-2013, 20:56
Hello, My name's Fabian. I'm from Argentina.
I need help with Forward Service in Server Linux Enterprise SP3. My server (firewall) works by giving internet to the internal network, I want to enable port 3389 (ms-wbt-server) and 7000 (afs3-fileserver) to my internal network to access external servers, but I could not do it. Enclosed is my settings SuSEfirewall2.

Thank you.

Fabian

FW_DEV_EXT="any eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ="usb0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="3050 3389 7000"
FW_SERVICES_EXT_UDP="3389 7000"
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT="samba-client samba-server vnc-server xorg-x11-server"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT="0/0,tcp,3389,3389
0/0,udp,3389,3389
0/0,tcp,7000,7000
0/0,udp,7000,7000"
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT="0/0, 0/0,udp"
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD="192.168.0.0/24,192.168.11.0/24"
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ="0/0,192.168.0.9,tcp,7000
0/0,192.168.0.9,udp,7000
0/0,192.168.0.25,tcp,3389
0/0,192.168.0.25,udp,3389"
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT="no"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="ext"
FW_ZONES=""
FW_USE_IPTABLES_BATCH="no"
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""
FW_BOOT_FULL_INIT=""

jmozdzen
07-Aug-2013, 22:05
Hi Fabian,

which are the resulting iptables rules for forwarding? ("iptables -L FORWARD -nv", and if subrules appear in "target" column, repeat for those)

I'm not comfortable with the SUSEfirewall scripts, but can help judge the resulting rule sets ;)

Regards,
Jens

fabianmk
07-Aug-2013, 22:35
Ok ;), thank.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6365 309K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 forward_ext all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50
0 0 forward_ext all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec proto 50
301K 22M forward_int all -- eth1 * 0.0.0.0/0 0.0.0.0/0
387K 525M forward_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 forward_dmz all -- usb0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

jmozdzen
07-Aug-2013, 22:53
Hi Fabian,


Ok ;), thank.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
6365 309K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 forward_ext all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50
0 0 forward_ext all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec proto 50
301K 22M forward_int all -- eth1 * 0.0.0.0/0 0.0.0.0/0
387K 525M forward_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 forward_dmz all -- usb0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

there's nothing in the FORWARD chain WRT ports 3389 & 7000, but you might want to check the highlighted chains (especially forward_int), that's where I'd expect that SUSEfirewall put the rules resulting from your configuration.

I'm looking for entries similar to


10645 20M ACCEPT tcp -- eth1 eth0 192.168.0.0/24 0.0.0.0/0 tcp spts:1024:65535 dpt:3389
which would indicate that TCP traffic incoming on eth1 (your internal interface) port 1024...65535 and heading to any (Internet) host port 3389, leaving via eth0 (your Internet-connected interface) would be permitted.

BTW, I see that you have "usb0" configured as your DMZ device - is that as intended, I've never seen a network device called "usb0" ;)

Something else I noticed:

FW_SERVICES_EXT_TCP="3050 3389 7000"
This, AFAICT, opens the firewall for *incoming* traffic from the Internet to your firewall system for these "services" - from your description I understood that you wanted to *forward* traffic for 3389/7000 from your internal network(s) to some Internet servers... did I understand that correctly?

Regards,
Jens

jmozdzen
07-Aug-2013, 23:02
Hi Fabian,

Hello, My name's Fabian. I'm from Argentina.
I need help with Forward Service in Server Linux Enterprise SP3. My server (firewall) works by giving internet to the internal network, I want to enable port 3389 (ms-wbt-server) and 7000 (afs3-fileserver) to my internal network to access external servers, but I could not do it. Enclosed is my settings SuSEfirewall2.

Thank you.

Fabian

FW_DEV_EXT="any eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ="usb0"
[...]
FW_FORWARD_MASQ="0/0,192.168.0.9,tcp,7000
0/0,192.168.0.9,udp,7000
0/0,192.168.0.25,tcp,3389
0/0,192.168.0.25,udp,3389"
[...]

looking at /usr/share/doc/packages/SuSEfirewall2/EXAMPLES and some online docs I noticed it said that multiple entries are to be space-delimited... you used new-lines, you might need to escape those by trailing "\".

Regards,
Jens

fabianmk
08-Aug-2013, 12:20
Hi Jens


there's nothing in the FORWARD chain WRT ports 3389 & 7000, but you might want to check the highlighted chains (especially forward_int), that's where I'd expect that SUSEfirewall put the rules resulting from your configuration.

With this rules "iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to 192.168.0.25:3389" work correctly, but I don't implement correctly this rules in susefirewall2


which would indicate that TCP traffic incoming on eth1 (your internal interface) port 1024...65535 and heading to any (Internet) host port 3389, leaving via eth0 (your Internet-connected interface) would be permitted.

BTW, I see that you have "usb0" configured as your DMZ device - is that as intended, I've never seen a network device called "usb0"

yes, this is correctly. The eth1 is internal interface and the eth0 is internet interface. But usb0 is configuration DMZ but this is off.



This, AFAICT, opens the firewall for *incoming* traffic from the Internet to your firewall system for these "services" - from your description I understood that you wanted to *forward* traffic for 3389/7000 from your internal network(s) to some Internet servers... did I understand that correctly?

Yes, this is correctly. My remote server is running with ip dynamics with service dns www.no-ip.org and the conection with this for the port 3389 (ms-wbt-server), and port 7000 (afs3-fileserver) I use for .NET Applications of service provider telephony card.

jmozdzen
08-Aug-2013, 12:36
Hi Fabian,


Hi Jens
[...]
Yes, this is correctly. My remote server is running with ip dynamics with service dns www.no-ip.org (http://www.no-ip.org) and the conection with this for the port 3389 (ms-wbt-server), and port 7000 (afs3-fileserver) I use for .NET Applications of service provider telephony card.

so no need to open the incoming ports on the firewall then - the server process listening on 3389/7000 is on the remote server, you only have outgoing sessions?

> "iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to 192.168.0.25:3389"

this looks like "overkill" to me. Address translation already is activated by SuSEfirewall, else you couldn't reach any host at all. I believe that all you need is to permit forwarding of TCP traffic fo your destination server through your firewall

iptables -I FORWARD -i eth1 -o eth0 -p tcp --sport 1024: --dport 3389 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I FORWARD -i eth0 -o eth1 -p tcp --sport 3389 --dport 1024: -m state --state ESTABLISHED -j ACCEPT
Which might happen by adding these "services" in the FW_FORWARD_MASQ, where I believe you have a syntax error.

Regards,
Jens

fabianmk
08-Aug-2013, 12:48
Hi Jens

it said that multiple entries are to be space-delimited... you used new-lines, you might need to escape those by trailing "\".

this multiple entries with space-delimited is formed by SuSEfirewall2 Yast, I have replaced space-delimited with "\" but this is do not work.
regards,

Fabian

jmozdzen
08-Aug-2013, 13:08
Hi Fabian,

Hi Jens


this multiple entries with space-delimited is formed by SuSEfirewall2 Yast, I have replaced space-delimited with "\" but this is do not work.
regards,

Fabian

if those entries were generated, they better work ;) Too bad, it would have been an easy solution.

Back to the main thread here :)

Regards,
Jens

jmozdzen
08-Aug-2013, 13:10
Hi Fabian,

as it appears to be no syntax problem - what is actually generated into the forward_int chain?

Regards,
Jens

fabianmk
08-Aug-2013, 13:17
Hi Jens

I did used this rules iptables for testing connection and this did correctly, but now I using SuSEfirewall because this is best security.
Regards.

Jens

fabianmk
08-Aug-2013, 13:22
I have also tried with "|" and it has not worked.

jmozdzen
08-Aug-2013, 13:52
Hi Fabian,

I believe you need to to give an overview of your setup... because if the service is *on a remote server*, how can "-j DNAT --to 192.168.0.25:3389" help?

So please indicate
- where is your client running (the initiator of the TCP session)
- where is your server process running (the receiving end of the TCP session)
- your client's network setup (including IP network info)
- clients's connection to the firewall you're trying to configure
- firewall setup (interfaces + their IP addresses, eventually routing table)
- connection from firewall to server
- server network setup

As you can see, you've got me sufficiently confused :[

Regards,
Jens

fabianmk
08-Aug-2013, 15:58
Hi Jens:
I'm sorry for your confused. My english is not very good.

My Configuration Networks is:

External Server: Dynamic IP use DNS www.no-ip.org (www.nameserver.no-ip.org)

Sever Internet / Firewall: eth0 external / internet interface (Static IP 192.168.11.121/255.255.255.0)
eth1 internal interface (Static IP 192.168.0.1/255.255.255.0)

Workstation: 192.168.0.9/255.255.255.0 Gateway 192.168.0.1 need use port 7000 NET Application connection server of provider telephony card
192.168.0.25/255.255.255.0 Gateway 192.168.0.1 need use port 3389 for Remote Control Server External (www.nameserver.no-ip.org)

Thank you for your response.
Regards,
Fabian

KBOYLE
09-Aug-2013, 05:56
fabianmk wrote:

> I need help with Forward Service in Server Linux Enterprise SP3.

In your other post you say:
> Sever Internet / Firewall: eth0 external / internet interface (Static
> IP 192.168.11.121/255.255.255.0)

You say this is your Internet interface but you are using a private IP
address which not valid for the Internet. May I assume your gateway to
the Internet is through another router? If this is so, then that router
is is likely providing a NAT function so you would not need to use
masquerading on this server. Besides, to me it doesn't make much sense
to use masquerading to substitute one private IP address for another.

> eth1 internal interface (Static IP
> 192.168.0.1/255.255.255.0)
>
> Workstation: 192.168.0.9/255.255.255.0 Gateway 192.168.0.1 need use
> port 7000 NET Application connection server of provider telephony card
> 192.168.0.25/255.255.255.0 Gateway 192.168.0.1 need
> use port 3389 for Remote Control Server External

Ok, to simplify,
Port 3389 traffic must be directed to 192.168.0.1
Port 7000 traffic must be directed to 192.168.0.25

These packets must be forwarded from the external interface to their
respective hosts on your LAN.

I will comment on your firewall settings...


As Jens already mentioned, this does not seem to be a valid interface:
> FW_DEV_DMZ="usb0"


# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
# your internal network to the internet, or configure FW_FORWARD to
# define what is allowed to be forwarded.
While this setting is correct, you need to make sure FW_FORWARD has the
correct settings.
> FW_ROUTE="yes"


This sets up masquerading but your Internet interface has a private IP
address. All outgoing packets will be assigned 192.168.11.121 instead
of 192.168.0.n. I suspect you don't need this. All these settings
should be set to "".
> FW_MASQUERADE="yes"
> FW_MASQ_DEV="zone:ext"
> FW_MASQ_NETS="0/0"
> FW_NOMASQ_NETS=""


FW_SERVICES_xxx_xxx specified which services you want to allow access
to ON THE FIREWALL. From what you have told us, you don't want to do
that except for possibly 3050. You already said traffic on ports 3389
and 7000 is to be directed to specific hosts on the LAN.
> FW_SERVICES_EXT_TCP="3050 3389 7000"
FW_SERVICES_EXT_TCP=""
> FW_SERVICES_EXT_UDP="3389 7000"
FW_SERVICES_EXT_UDP=""


Do you really want to allow access to these services on your server
FROM THE INTERNET?
> FW_CONFIGURATIONS_EXT="samba-client samba-server vnc-server
> xorg-x11-server"


Here you are saying to allow this traffic to enter your server from the
Ext interface (Internet) but these services aren't running on your
server so this is incorrect.
> FW_SERVICES_ACCEPT_EXT="0/0,tcp,3389,3389
> 0/0,udp,3389,3389
> 0/0,tcp,7000,7000
> 0/0,udp,7000,7000"
FW_SERVICES_ACCEPT_EXT=""


I'm not exactly sure what you are trying to do here. It looks as if you
are allowing EVERYTHING through the external interface to enter the
server. I suspect this should be changed.
> FW_SERVICES_ACCEPT_RELATED_EXT="0/0, 0/0,udp"
FW_SERVICES_ACCEPT_RELATED_EXT=""


FW_FORWARD determines WHAT gets forwarded. The syntax is the same as is
used for FW_FORWARD_MASQ. You are telling the firewall to forward
outgoing (only) traffic but only between two specific networks.
> FW_FORWARD="192.168.0.0/24,192.168.11.0/24"

At the very least, this syntax is incorrect. It must be on one line or
else you have to use a line continuation character: "\"
> FW_FORWARD_MASQ="0/0,192.168.0.9,tcp,7000
> 0/0,192.168.0.9,udp,7000
> 0/0,192.168.0.25,tcp,3389
> 0/0,192.168.0.25,udp,3389"
FW_FORWARD_MASQ=" \
0/0,192.168.0.9,tcp,7000 \
0/0,192.168.0.9,udp,7000 \
0/0,192.168.0.25,tcp,3389 \
0/0,192.168.0.25,udp,3389 \
"
Assuming you don't use masquerading and you want to allow ALL outgoing
traffic, FW_FORWARD should look something like this:
FW_FORWARD=" \
192.168.0.0/24,0/0 \
0/0,192.168.0.9,tcp,7000 \
0/0,192.168.0.9,udp,7000 \
0/0,192.168.0.25,tcp,3389 \
0/0,192.168.0.25,udp,3389 \
"
And FW_FORWARD_MASQ would be FW_FORWARD_MASQ=""

I have not verified your other firewall settings.

Please see /etc/sysconfig/SuSEfirewall2 for a description of what each
setting does.


--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...