PDA

View Full Version : IPtables rule for RDP connection



ecanmaster
08-Jun-2015, 16:37
I have create these 2 rules to allow remote desktop connection to one of the windows 2008 server.
I checked on the local network if RDP is working and I also checked if on my laptop the firewall is turned off.
On the server 2008 I verified if port 3389 is used (just in case),
I can connect with RDP to this server when I am on the same subnet, but when using a vpn connection, I am not able to connect with rdp,
I can ping the server, but RDP is not working

here are the rules I used:

iptables -A FORWARD -j ACCEPT -p tcp --dport 3389
iptables -t nat -D PREROUTING -p tcp --dport 3389 -j DNAT --to-destination 192.168.201.15

jmozdzen
09-Jun-2015, 13:59
Hi ecanmaster,

> I have create these 2 rules to allow remote desktop connection to one of the windows 2008 server.

where (what server) were these rules added? On a Linux box that acts as a router?

> I can connect with RDP to this server when I am on the same subnet, but when using a vpn connection, I am not able to connect with rdp,
> I can ping the server, but RDP is not working

The above server with the iptables rules - is that a VPN terminator? In other words, is your setup as follows?

A: laptop (local subnet) RDP server
B: laptop (some VPN) VPN terminator (local subnet) RDP server

A works, B doesn't, correct?

> I can ping the server, but RDP is not working

If pinging the server from the VPN client works (I assume no other NAT rules apply) and you hence can reach the RDP server, why have you added the DNAT?

> iptables -A FORWARD -j ACCEPT -p tcp --dport 3389

that rule will allow traffic *to* the RDP server cross the VPN terminator - what about the traffic *from* the RDP server?



# iptables -A FORWARD -p tcp --dport 3389 -d 192.168.201.15 -j ACCEPT
# iptables -A FORWARD -p tcp --sport 3389 -s 192.168.201.15 -j ACCEPT


(I left out conntrack for simplicity' sake)

Regards,
Jens

ecanmaster
10-Jun-2015, 09:00
The server is an SLES 11, which also acts as openvpn server
we use this server to create the vpn connection
I connect to this server with openvpn and use putty to login to the servers


> I can connect with RDP to this server when I am on the same subnet, but when using a vpn connection, I am not able to connect with rdp,
> I can ping the server, but RDP is not working

The above server with the iptables rules - is that a VPN terminator? In other words, is your setup as follows?

A: laptop (local subnet) RDP server
B: laptop (some VPN) VPN terminator (local subnet) RDP server

A works, B doesn't, correct?

Correct A works, but B doesnt ( I tried the A solution so I would be sure the RDP is working)

> I can ping the server, but RDP is not working

If pinging the server from the VPN client works (I assume no other NAT rules apply) and you hence can reach the RDP server, why have you added the DNAT?

I am not sure if I understand your question, but let me explain:
When connecting to this server, I use a VPN connection.
Once I have the vpn connection, I can ping the server, create a putty session without any issue's.
The RDP connection to this server is just not working.
I am not sure about the DNAT, I have seen similiar rules with DNAT and thought it should be used, but I am not sure if this is correct.

I have also a backdoor where I can directly connect to a different server which is on the same subnet.
On this server I can check to see if RDP is working anyway, but please forget this part (otherwise it will be a bit confusing)
This was just for testing purposes and I needed to know if RDP was setup correctly in the first place, before troubleshooting the whole issue.


> iptables -A FORWARD -j ACCEPT -p tcp --dport 3389

that rule will allow traffic *to* the RDP server cross the VPN terminator - what about the traffic *from* the RDP server?



# iptables -A FORWARD -p tcp --dport 3389 -d 192.168.201.15 -j ACCEPT
# iptables -A FORWARD -p tcp --sport 3389 -s 192.168.201.15 -j ACCEPT


(I left out conntrack for simplicity' sake)

What you are saying sounds logical and I just tried this rule set, but it's not working.
Do I need to remove the other rule first in order for this to work?
Should I give you more information regarding the current iptable setup?

Anyway, I do realize that I need learn to learn how to setup the iptables, but that is on the long term.
Thx Jens

Regards,
Jens[/QUOTE]

jmozdzen
12-Jun-2015, 15:21
Hi ecanmaster,


The server is an SLES 11, which also acts as openvpn server
we use this server to create the vpn connection
I connect to this server with openvpn and use putty to login to the servers


> I can connect with RDP to this server when I am on the same subnet, but when using a vpn connection, I am not able to connect with rdp,
> I can ping the server, but RDP is not working

The above server with the iptables rules - is that a VPN terminator? In other words, is your setup as follows?

A: laptop (local subnet) RDP server
B: laptop (some VPN) VPN terminator (local subnet) RDP server

A works, B doesn't, correct?

Correct A works, but B doesnt ( I tried the A solution so I would be sure the RDP is working)

> I can ping the server, but RDP is not working

If pinging the server from the VPN client works (I assume no other NAT rules apply) and you hence can reach the RDP server, why have you added the DNAT?

I am not sure if I understand your question, but let me explain:
When connecting to this server, I use a VPN connection.
Once I have the vpn connection, I can ping the server, create a putty session without any issue's.
The RDP connection to this server is just not working.
I am not sure about the DNAT, I have seen similiar rules with DNAT and thought it should be used, but I am not sure if this is correct.you ought to get familiar with the basics of what you're doing here, quickly. Setting wrong / bad rules can severely wreck your server connectivity :D

NAT is "network address translation" and the statement you entered means "re-write the destination address of any packet, crossing this server and heading for port 3389, to 192.168.201.15". You would do this if the sender of the packet cannot originally use the proper destination address... bu since you can ping the server etc, you *can* use the address already when sending out the packets from your client, so no need to re-write the target address.



> iptables -A FORWARD -j ACCEPT -p tcp --dport 3389

that rule will allow traffic *to* the RDP server cross the VPN terminator - what about the traffic *from* the RDP server?



# iptables -A FORWARD -p tcp --dport 3389 -d 192.168.201.15 -j ACCEPT
# iptables -A FORWARD -p tcp --sport 3389 -s 192.168.201.15 -j ACCEPT


(I left out conntrack for simplicity' sake)

What you are saying sounds logical and I just tried this rule set, but it's not working.
Do I need to remove the other rule first in order for this to work?
Should I give you more information regarding the current iptable setup?
No, you need to figure out where the packets are flowing and why they're not reaching their target.

As you can ping the server from your client via the VPN tunnel, the RDP server seems to know how to send back the return packets to your VPN terminator. I suggest to run "tcpdump" on the LAN interface of the VPN terminator box to determine if the client's packets properly leave your VPN terminator (in direction to the RDP server) and if return packets are received (coming from the RDP server, targeted at the client). Follow the white rabbit... which masks as "TCP packets" in this movie ;)


Anyway, I do realize that I need learn to learn how to setup the iptables, but that is on the long term.
Well, getting the iptables basics straight is something you should learn truly short-term, to be able to set up and diagnose your installation...

BTW: How's your TCP/IP background, you'll need some fundamentals to hunt this problem down.

Regards,
Jens