Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Forward Service 3389/7000

Hybrid View

  1. #1

    Forward Service 3389/7000

    Hello, My name's Fabian. I'm from Argentina.
    I need help with Forward Service in Server Linux Enterprise SP3. My server (firewall) works by giving internet to the internal network, I want to enable port 3389 (ms-wbt-server) and 7000 (afs3-fileserver) to my internal network to access external servers, but I could not do it. Enclosed is my settings SuSEfirewall2.

    Thank you.

    Fabian

    FW_DEV_EXT="any eth0"
    FW_DEV_INT="eth1"
    FW_DEV_DMZ="usb0"
    FW_ROUTE="yes"
    FW_MASQUERADE="yes"
    FW_MASQ_DEV="zone:ext"
    FW_MASQ_NETS="0/0"
    FW_NOMASQ_NETS=""
    FW_PROTECT_FROM_INT="no"
    FW_SERVICES_EXT_TCP="3050 3389 7000"
    FW_SERVICES_EXT_UDP="3389 7000"
    FW_SERVICES_EXT_IP=""
    FW_SERVICES_EXT_RPC=""
    FW_CONFIGURATIONS_EXT="samba-client samba-server vnc-server xorg-x11-server"
    FW_SERVICES_DMZ_TCP=""
    FW_SERVICES_DMZ_UDP=""
    FW_SERVICES_DMZ_IP=""
    FW_SERVICES_DMZ_RPC=""
    FW_CONFIGURATIONS_DMZ=""
    FW_SERVICES_INT_TCP=""
    FW_SERVICES_INT_UDP=""
    FW_SERVICES_INT_IP=""
    FW_SERVICES_INT_RPC=""
    FW_CONFIGURATIONS_INT=""
    FW_SERVICES_DROP_EXT=""
    FW_SERVICES_DROP_DMZ=""
    FW_SERVICES_DROP_INT=""
    FW_SERVICES_REJECT_EXT=""
    FW_SERVICES_REJECT_DMZ=""
    FW_SERVICES_REJECT_INT=""
    FW_SERVICES_ACCEPT_EXT="0/0,tcp,3389,3389
    0/0,udp,3389,3389
    0/0,tcp,7000,7000
    0/0,udp,7000,7000"
    FW_SERVICES_ACCEPT_DMZ=""
    FW_SERVICES_ACCEPT_INT=""
    FW_SERVICES_ACCEPT_RELATED_EXT="0/0, 0/0,udp"
    FW_SERVICES_ACCEPT_RELATED_DMZ=""
    FW_SERVICES_ACCEPT_RELATED_INT=""
    FW_TRUSTED_NETS=""
    FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
    FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
    FW_FORWARD="192.168.0.0/24,192.168.11.0/24"
    FW_FORWARD_REJECT=""
    FW_FORWARD_DROP=""
    FW_FORWARD_MASQ="0/0,192.168.0.9,tcp,7000
    0/0,192.168.0.9,udp,7000
    0/0,192.168.0.25,tcp,3389
    0/0,192.168.0.25,udp,3389"
    FW_REDIRECT=""
    FW_LOG_DROP_CRIT="yes"
    FW_LOG_DROP_ALL="no"
    FW_LOG_ACCEPT_CRIT="yes"
    FW_LOG_ACCEPT_ALL="no"
    FW_LOG_LIMIT=""
    FW_LOG=""
    FW_KERNEL_SECURITY="yes"
    FW_STOP_KEEP_ROUTING_STATE="no"
    FW_ALLOW_PING_FW="yes"
    FW_ALLOW_PING_DMZ="no"
    FW_ALLOW_PING_EXT="yes"
    FW_ALLOW_FW_SOURCEQUENCH=""
    FW_ALLOW_FW_BROADCAST_EXT="no"
    FW_ALLOW_FW_BROADCAST_INT="no"
    FW_ALLOW_FW_BROADCAST_DMZ="no"
    FW_IGNORE_FW_BROADCAST_EXT="yes"
    FW_IGNORE_FW_BROADCAST_INT="no"
    FW_IGNORE_FW_BROADCAST_DMZ="no"
    FW_ALLOW_CLASS_ROUTING=""
    FW_CUSTOMRULES=""
    FW_REJECT=""
    FW_REJECT_INT="no"
    FW_HTB_TUNE_DEV=""
    FW_IPv6=""
    FW_IPv6_REJECT_OUTGOING=""
    FW_IPSEC_TRUST="ext"
    FW_ZONES=""
    FW_USE_IPTABLES_BATCH="no"
    FW_LOAD_MODULES="nf_conntrack_netbios_ns"
    FW_FORWARD_ALWAYS_INOUT_DEV=""
    FW_FORWARD_ALLOW_BRIDGING=""
    FW_BOOT_FULL_INIT=""

  2. Re: Forward Service 3389/7000

    Hi Fabian,

    which are the resulting iptables rules for forwarding? ("iptables -L FORWARD -nv", and if subrules appear in "target" column, repeat for those)

    I'm not comfortable with the SUSEfirewall scripts, but can help judge the resulting rule sets

    Regards,
    Jens

  3. #3

    Re: Forward Service 3389/7000

    Ok , thank.

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    6365 309K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0 0 forward_ext all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50
    0 0 forward_ext all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec proto 50
    301K 22M forward_int all -- eth1 * 0.0.0.0/0 0.0.0.0/0
    387K 525M forward_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
    0 0 forward_dmz all -- usb0 * 0.0.0.0/0 0.0.0.0/0
    0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

  4. Re: Forward Service 3389/7000

    Hi Fabian,

    Quote Originally Posted by fabianmk View Post
    Ok , thank.

    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    6365 309K TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0 0 forward_ext all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir in pol ipsec proto 50
    0 0 forward_ext all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec proto 50
    301K 22M forward_int all -- eth1 * 0.0.0.0/0 0.0.0.0/0
    387K 525M forward_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0
    0 0 forward_dmz all -- usb0 * 0.0.0.0/0 0.0.0.0/0
    0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
    there's nothing in the FORWARD chain WRT ports 3389 & 7000, but you might want to check the highlighted chains (especially forward_int), that's where I'd expect that SUSEfirewall put the rules resulting from your configuration.

    I'm looking for entries similar to

    Code:
    10645   20M ACCEPT     tcp  --  eth1 eth0  192.168.0.0/24       0.0.0.0/0        tcp spts:1024:65535 dpt:3389
    which would indicate that TCP traffic incoming on eth1 (your internal interface) port 1024...65535 and heading to any (Internet) host port 3389, leaving via eth0 (your Internet-connected interface) would be permitted.

    BTW, I see that you have "usb0" configured as your DMZ device - is that as intended, I've never seen a network device called "usb0"

    Something else I noticed:
    FW_SERVICES_EXT_TCP="3050 3389 7000"
    This, AFAICT, opens the firewall for *incoming* traffic from the Internet to your firewall system for these "services" - from your description I understood that you wanted to *forward* traffic for 3389/7000 from your internal network(s) to some Internet servers... did I understand that correctly?

    Regards,
    Jens

  5. #5

    Re: Forward Service 3389/7000

    Hi Jens

    there's nothing in the FORWARD chain WRT ports 3389 & 7000, but you might want to check the highlighted chains (especially forward_int), that's where I'd expect that SUSEfirewall put the rules resulting from your configuration.
    With this rules "iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to 192.168.0.25:3389" work correctly, but I don't implement correctly this rules in susefirewall2

    which would indicate that TCP traffic incoming on eth1 (your internal interface) port 1024...65535 and heading to any (Internet) host port 3389, leaving via eth0 (your Internet-connected interface) would be permitted.

    BTW, I see that you have "usb0" configured as your DMZ device - is that as intended, I've never seen a network device called "usb0"
    yes, this is correctly. The eth1 is internal interface and the eth0 is internet interface. But usb0 is configuration DMZ but this is off.


    This, AFAICT, opens the firewall for *incoming* traffic from the Internet to your firewall system for these "services" - from your description I understood that you wanted to *forward* traffic for 3389/7000 from your internal network(s) to some Internet servers... did I understand that correctly?
    Yes, this is correctly. My remote server is running with ip dynamics with service dns www.no-ip.org and the conection with this for the port 3389 (ms-wbt-server), and port 7000 (afs3-fileserver) I use for .NET Applications of service provider telephony card.

  6. Re: Forward Service 3389/7000

    Hi Fabian,

    Quote Originally Posted by fabianmk View Post
    Hi Jens
    [...]
    Yes, this is correctly. My remote server is running with ip dynamics with service dns www.no-ip.org and the conection with this for the port 3389 (ms-wbt-server), and port 7000 (afs3-fileserver) I use for .NET Applications of service provider telephony card.
    so no need to open the incoming ports on the firewall then - the server process listening on 3389/7000 is on the remote server, you only have outgoing sessions?

    > "iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to 192.168.0.25:3389"

    this looks like "overkill" to me. Address translation already is activated by SuSEfirewall, else you couldn't reach any host at all. I believe that all you need is to permit forwarding of TCP traffic fo your destination server through your firewall
    Code:
    iptables -I FORWARD -i eth1 -o eth0 -p tcp --sport 1024: --dport 3389 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -I FORWARD -i eth0 -o eth1 -p tcp --sport 3389 --dport 1024: -m state --state ESTABLISHED -j ACCEPT
    Which might happen by adding these "services" in the FW_FORWARD_MASQ, where I believe you have a syntax error.

    Regards,
    Jens
    Last edited by jmozdzen; 08-Aug-2013 at 12:39. Reason: removed malicious colon in second iptalbes rule

  7. Re: Forward Service 3389/7000

    Hi Fabian,

    as it appears to be no syntax problem - what is actually generated into the forward_int chain?

    Regards,
    Jens

  8. #8

    Re: Forward Service 3389/7000

    Hi Jens

    I did used this rules iptables for testing connection and this did correctly, but now I using SuSEfirewall because this is best security.
    Regards.

    Jens

  9. Re: Forward Service 3389/7000

    Hi Fabian,

    I believe you need to to give an overview of your setup... because if the service is *on a remote server*, how can "-j DNAT --to 192.168.0.25:3389" help?

    So please indicate
    - where is your client running (the initiator of the TCP session)
    - where is your server process running (the receiving end of the TCP session)
    - your client's network setup (including IP network info)
    - clients's connection to the firewall you're trying to configure
    - firewall setup (interfaces + their IP addresses, eventually routing table)
    - connection from firewall to server
    - server network setup

    As you can see, you've got me sufficiently confused :[

    Regards,
    Jens

  10. #10

    Re: Forward Service 3389/7000

    Hi Jens:
    I'm sorry for your confused. My english is not very good.

    My Configuration Networks is:

    External Server: Dynamic IP use DNS www.no-ip.org (www.nameserver.no-ip.org)

    Sever Internet / Firewall: eth0 external / internet interface (Static IP 192.168.11.121/255.255.255.0)
    eth1 internal interface (Static IP 192.168.0.1/255.255.255.0)

    Workstation: 192.168.0.9/255.255.255.0 Gateway 192.168.0.1 need use port 7000 NET Application connection server of provider telephony card
    192.168.0.25/255.255.255.0 Gateway 192.168.0.1 need use port 3389 for Remote Control Server External (www.nameserver.no-ip.org)

    Thank you for your response.
    Regards,
    Fabian

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •