* RDP and iptables ruleset
@ 2004-12-08 18:06 James Bowling
2004-12-08 23:05 ` Jason Opperisano
2004-12-09 22:27 ` Rudi Starcevic
0 siblings, 2 replies; 3+ messages in thread
From: James Bowling @ 2004-12-08 18:06 UTC (permalink / raw)
To: netfilter
I seem to be having some issues with iptables 1.2.11 and getting RDP to
be allowed through. My windows box is NAT'd behind my Gentoo 2004.3
box. Here is my NAT Tables:
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp
dpt:3389 to:10.0.1.2:3389
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT tcp -- anywhere anywhere tcp
dpt:3389 to:10.0.1.2:3389
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Here is my iptables rules:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT udp -- anywhere anywhere udp
dpt:bootps reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp
dpt:domain reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp
dpt:8245
DROP tcp -- anywhere anywhere tcp
dpts:0:1023
DROP udp -- anywhere anywhere udp
dpts:0:1023
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere 10.0.1.0/24
ACCEPT all -- 10.0.1.0/24 anywhere
ACCEPT all -- anywhere 10.0.1.0/24
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This is just a very basic rule set as you can see. What happens is when
I connect with RDP it goes through to the login and then after
authentication it just sits there and eventually times out. Any ideas
on what is going on? Any help would be appreciated.
Regards,
James Bowling
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: RDP and iptables ruleset
2004-12-08 18:06 RDP and iptables ruleset James Bowling
@ 2004-12-08 23:05 ` Jason Opperisano
2004-12-09 22:27 ` Rudi Starcevic
1 sibling, 0 replies; 3+ messages in thread
From: Jason Opperisano @ 2004-12-08 23:05 UTC (permalink / raw)
To: netfilter
On Wed, 2004-12-08 at 13:06, James Bowling wrote:
> I seem to be having some issues with iptables 1.2.11 and getting RDP to
> be allowed through. My windows box is NAT'd behind my Gentoo 2004.3
> box. Here is my NAT Tables:
>
> # iptables -t nat -L
ugh--post your rules with "-v" as well so we can see interfaces and
other options (iptables -t nat -vnxL)...
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> DNAT tcp -- anywhere anywhere tcp
> dpt:3389 to:10.0.1.2:3389
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> SNAT tcp -- anywhere anywhere tcp
> dpt:3389 to:10.0.1.2:3389
get rid of that rule.
> MASQUERADE all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
> Here is my iptables rules:
>
> # iptables -L
ditto: iptables -vnxL
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
all rules after that do nothing, and no other rules will be matched
(unless there's some magic interface specified there; but we don't know,
now do we?)
> REJECT udp -- anywhere anywhere udp
> dpt:bootps reject-with icmp-port-unreachable
> REJECT udp -- anywhere anywhere udp
> dpt:domain reject-with icmp-port-unreachable
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
>
> ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
>
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:ftp-data
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:8245
> DROP tcp -- anywhere anywhere tcp
> dpts:0:1023
> DROP udp -- anywhere anywhere udp
> dpts:0:1023
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> DROP all -- anywhere 10.0.1.0/24
something tells me that could be the problem...unless there's an
interface specified there that we can't see...
> ACCEPT all -- 10.0.1.0/24 anywhere
> ACCEPT all -- anywhere 10.0.1.0/24
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> This is just a very basic rule set as you can see.
it appears to be a completely useless ruleset, actually. flush all that
stuff [*] out and start fresh with:
iptables -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 3389 -j DNAT \
--to-destination 10.0.1.2
iptables -t nat -A POSTROUTING -o $EXT_IF -j MASQUERADE
and see what happens.
-j
[*] for t in mangle nat filter; do
iptables -t $t -F
iptables -t $t -X
iptables -t $t -Z
done
for c in INPUT FORWARD OUTPUT; do
iptables -P $c ACCEPT
done
--
"It takes two to lie. One to lie and one to listen."
--The Simpsons
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: RDP and iptables ruleset
2004-12-08 18:06 RDP and iptables ruleset James Bowling
2004-12-08 23:05 ` Jason Opperisano
@ 2004-12-09 22:27 ` Rudi Starcevic
1 sibling, 0 replies; 3+ messages in thread
From: Rudi Starcevic @ 2004-12-09 22:27 UTC (permalink / raw)
To: netfilter
Hi James,
I set up RDP port-forwarding for the first time myself earlier this week.
I'm using Debian 3 and Win 2003.
These rules work well for me with a default policy of Accept ( which
I'll update shortly )::
##### start NAT routing #####
$IPTABLES --table nat --append POSTROUTING --out-interface eth0 -j
MASQUERADE
# forward remote desktop media_server_1
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -s
xxx.xxx.xxx.xxx -j DNAT --to 192.168.0.10:3389
# ENABLE FORWARDING / NAT / MASQUERADING
echo "1" > /proc/sys/net/ipv4/ip_forward
Hope this helps.
Kind regards,
Rudi.
James Bowling wrote:
>I seem to be having some issues with iptables 1.2.11 and getting RDP to
>be allowed through. My windows box is NAT'd behind my Gentoo 2004.3
>box. Here is my NAT Tables:
>
># iptables -t nat -L
>Chain PREROUTING (policy ACCEPT)
>target prot opt source destination
>DNAT tcp -- anywhere anywhere tcp
>dpt:3389 to:10.0.1.2:3389
>
>Chain POSTROUTING (policy ACCEPT)
>target prot opt source destination
>SNAT tcp -- anywhere anywhere tcp
>dpt:3389 to:10.0.1.2:3389
>MASQUERADE all -- anywhere anywhere
>
>Chain OUTPUT (policy ACCEPT)
>target prot opt source destination
>
>
>Here is my iptables rules:
>
># iptables -L
>Chain INPUT (policy ACCEPT)
>target prot opt source destination
>ACCEPT all -- anywhere anywhere
>REJECT udp -- anywhere anywhere udp
>dpt:bootps reject-with icmp-port-unreachable
>REJECT udp -- anywhere anywhere udp
>dpt:domain reject-with icmp-port-unreachable
>ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
>
>ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
>
>ACCEPT tcp -- anywhere anywhere tcp
>dpt:ftp-data
>ACCEPT tcp -- anywhere anywhere tcp
>dpt:8245
>DROP tcp -- anywhere anywhere tcp
>dpts:0:1023
>DROP udp -- anywhere anywhere udp
>dpts:0:1023
>
>Chain FORWARD (policy ACCEPT)
>target prot opt source destination
>DROP all -- anywhere 10.0.1.0/24
>ACCEPT all -- 10.0.1.0/24 anywhere
>ACCEPT all -- anywhere 10.0.1.0/24
>ACCEPT all -- anywhere anywhere state
>RELATED,ESTABLISHED
>ACCEPT all -- anywhere anywhere
>
>Chain OUTPUT (policy ACCEPT)
>target prot opt source destination
>
>This is just a very basic rule set as you can see. What happens is when
>I connect with RDP it goes through to the login and then after
>authentication it just sits there and eventually times out. Any ideas
>on what is going on? Any help would be appreciated.
>
>
>Regards,
>James Bowling
>
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-12-09 22:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-08 18:06 RDP and iptables ruleset James Bowling
2004-12-08 23:05 ` Jason Opperisano
2004-12-09 22:27 ` Rudi Starcevic
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.