help with --helper sane

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* help with --helper sane
@ 2012-12-09 20:14 Mike Wright
  2012-12-09 21:18 ` Andrew Beverley
  0 siblings, 1 reply; 2+ messages in thread
From: Mike Wright @ 2012-12-09 20:14 UTC (permalink / raw)
  To: netfilter list

Hi all,

I'm trying to make a usb scanner network available using "saned".  The 
machines involved are both running "saned -a".  It works well until I 
turn on iptables on the machine with the scanner.

If I enable firewalling with port 6566 open the scanner initializes but 
never proceeds beyond that point.

I tried these:

-A INPUT -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW -m helper 
--helper "sane" -j ACCEPT
-A INPUT -p udp -m udp --dport 6566 -m conntrack --ctstate NEW -m helper 
--helper "sane" -j ACCEPT

but that results in "no scanners found".

Using CUPS as an example I did this on both sides and didn't have any 
luck that way either.

Sorry if I can't better describe this.  I've never used a scanner over 
the net before and netfilter's helpers are new to me.  Google finds many 
references to iptables and sane, but only in the context of sanity, 
which I am quickly losing ;D

Any helpers?

TIA,
Mike Wright

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: help with --helper sane
  2012-12-09 20:14 help with --helper sane Mike Wright
@ 2012-12-09 21:18 ` Andrew Beverley
  0 siblings, 0 replies; 2+ messages in thread
From: Andrew Beverley @ 2012-12-09 21:18 UTC (permalink / raw)
  To: Mike Wright; +Cc: netfilter list

On Sun, 2012-12-09 at 12:14 -0800, Mike Wright wrote:
> Hi all,
> 
> I'm trying to make a usb scanner network available using "saned".  The 
> machines involved are both running "saned -a".  It works well until I 
> turn on iptables on the machine with the scanner.
> 
> If I enable firewalling with port 6566 open the scanner initializes but 
> never proceeds beyond that point.
> 
> I tried these:
> 
> -A INPUT -p tcp -m tcp --dport 6566 -m conntrack --ctstate NEW -m helper 
> --helper "sane" -j ACCEPT
> -A INPUT -p udp -m udp --dport 6566 -m conntrack --ctstate NEW -m helper 
> --helper "sane" -j ACCEPT

That's only accepting the packet that initiates the connection. You'll
need to allow subsequent related packets as well. Something like:

-A INPUT -p tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT

I don't know the "sane" protocol, so you might need to add RELATED as
well. You'll also need to make sure that you're allowing the packets to
return out as well (OUTPUT).

Also, I consider the dport *and* helper match a bit of an overkill. I
would just use the dport match, at least until it's working.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-12-09 21:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-09 20:14 help with --helper sane Mike Wright
2012-12-09 21:18 ` Andrew Beverley

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).