Very Computer

Hi
        I just upgraded my desktop machine at home (DHCP server + BIND server +
CUPS server+ IP Masquerade) to RH 9 from RH 7.3.

        I am trying to open the port 631/udp for IPP access from my laptop so that
I can share my printer. Obviously, I have a firewall running (High on RH
default installation) + some rules to enable ssh, etc forwarding.

        Attempts like :

        /sbin/iptables -A INPUT -i eth0 -p udp -s 192.168.0.2 --destination-port
631 -j ACCEPT, etc.
        have failed as nmap does not reveal 631/udp as being open (can't browse to
myserver:631 either).

        Suggestions anyone ?

Thanks,

MS

Hi
        I just upgraded my desktop machine at home (DHCP server + BIND
server + CUPS server+ IP Masquerade) to RH 9 from RH 7.3.

        I am trying to open the port 631/udp for IPP access from my laptop
so that I can share my printer. Obviously, I have a firewall running (High
on RH default installation) + some rules to enable ssh, etc forwarding.

        Attempts like :

        /sbin/iptables -A INPUT -i eth0 -p udp -s 192.168.0.2
--destination-port 631 -j ACCEPT, etc.
        have failed as nmap does not reveal 631/udp as being open (can't
browse to myserver:631 either).

        I am also trying to open port 3306 for Mysql access via apache webserver on
the server machine. Should be the same solution for this problem as well.

        Suggestions anyone ?

Thanks,

MS

Quote:>        I just upgraded my desktop machine at home (DHCP server + BIND
>server + CUPS server+ IP Masquerade) to RH 9 from RH 7.3.

>        I am trying to open the port 631/udp for IPP access from my laptop
>so that I can share my printer. Obviously, I have a firewall running (High
>on RH default installation) + some rules to enable ssh, etc forwarding.

>        Attempts like :

>        /sbin/iptables -A INPUT -i eth0 -p udp -s 192.168.0.2
>--destination-port 631 -j ACCEPT, etc.
>        have failed as nmap does not reveal 631/udp as being open (can't
>browse to myserver:631 either).

>        I am also trying to open port 3306 for Mysql access via apache webserver on
>the server machine. Should be the same solution for this problem as well.

I am not an expert on this but... In my system, ipp is set to run on the
port(default i guess) 631 with proto ucp not udp(prob a typo i guess)
Maybe you have to have to '-p all' there?

And you have to ensure that ur cups-lpd listening on these ports. Which
can be started as service via /sbin/chkconfig.

-V (-:^:-)
--
Remove NOSPAM in the email to reply

forth in comp.os.linux.misc

Quote:

> I am not an expert on this but... In my system, ipp is set to run on the
> port(default i guess) 631 with proto ucp not udp(prob a typo i guess)
> Maybe you have to have to '-p all' there?

Tried -p all. Does not work. Btw, man iptables does not reveal any protocol
named ucp. Just udp and tcp.

Quote:> And you have to ensure that ur cups-lpd listening on these ports. Which
> can be started as service via /sbin/chkconfig.

Running cups-lpd is not necessary if your client supports ipp. At least that
is what the documentation says.

Yes. Thats rite, maybe -p all is the rite one for you.

Quote:>> And you have to ensure that ur cups-lpd listening on these ports. Which
>> can be started as service via /sbin/chkconfig.

>Running cups-lpd is not necessary if your client supports ipp. At least that
>is what the documentation says.

But there should be some daemon listening in port 631 rite? Which daemon
do you run?

forth in comp.os.linux.misc

Quote:

> But there should be some daemon listening in port 631 rite? Which daemon
> do you run?

cups. Running a daemon is not much use if the port is closed by a firewall.

Yah thats rite. Do you have Lokkit automatically create firewall for
you, if that is the case find out the input chain it uses and add the
following.

iptables -L should list all the rules.

iptables -A RH-Lokkit-0-50-INPUT -i eth0 -p udp -s 192.168.0.2
--destination-port 631 -j ACCEPT

The input rule you have given seems to be rite, but my guess is that it
gets overwritten by the other rules.

You may also want to try the insert option,

iptables -I RH-Lokkit-0-50-INPUT 1 -i eth0 -p udp -s 192.168.0.2
--destination-port 631 -j ACCEPT

This one inserts the rule at position 1.

FYI, when I ran started the daemon cups, it opened(not to internet) a
port with tcp proto. Anyway, not sure this is of any help.

-V (-:^:-)
--
Remove NOSPAM in the email to reply

[If anyone has any 'issues' with me, they can email me, instead of
resorting to allusions. Thanks]

http://www.icon.co.za/~psheer/book/index.html.gz

Sorry, I didnt mean to add the following in the script. Thats just to
list the rules.

forth in comp.os.linux.misc

Quote:> Yah thats rite. Do you have Lokkit automatically create firewall for
> you, if that is the case find out the input chain it uses and add the
> following.

> iptables -L should list all the rules.

I have my rules written in a separate script :

IPTABLES=/sbin/iptables
INSMOD=/sbin/insmod

EXTIF="ppp0"
INTIF="eth0"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"

LANRANGE="192.168.0.1/24"
TARGETIP="192.168.0.2"
TARGETHTTPPORT="80"
TARGETSSHPORT="22"
TARGETSFTPPORT="115"
TARGETNNTPPORT="119"
TARGETIMAPPORT="143"
TARGETSMTPPORT="25"
TARGETFTPPORT="21"
TARGETTELNETPORT="23"

REJECTPORTS="113"

/sbin/depmod -a

$INSMOD ip_tables

$INSMOD ip_conntrack

$INSMOD ip_conntrack_ftp

$INSMOD ip_conntrack_irc

$INSMOD iptable_nat

$INSMOD ip_nat_ftp

$INSMOD ipt_MASQUERADE

$IPTABLES -F
$IPTABLES -t nat -F

$IPTABLES -t nat -A POSTROUTING -d ! $LANRANGE -j MASQUERADE

$IPTABLES -A FORWARD -s $LANRANGE -j ACCEPT
$IPTABLES -A FORWARD -d $LANRANGE -j ACCEPT

$IPTABLES -A FORWARD -s ! $LANRANGE -j DROP

$IPTABLES -A INPUT --protocol udp --source-port $REJECTPORTS -j DROP
$IPTABLES -A INPUT --protocol udp --destination $REJECTPORTS -j DROP
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport $TARGETHTTPPORT -j
DNAT --to $TARGETIP:$TARGETHTTPPORT

$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport $TARGETSSHPORT -j
DNAT --to $TARGETIP:$TARGETSSHPORT

$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport $TARGETSFTPPORT -j
DNAT --to $TARGETIP:$TARGETSFTPPORT

$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport $TARGETNNTPPORT -j
DNAT --to $TARGETIP:$TARGETNNTPPORT

$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport $TARGETIMAPPORT -j
DNAT --to $TARGETIP:$TARGETIMAPPORT

$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport $TARGETSMTPPORT -j
DNAT --to $TARGETIP:$TARGETSMTPPORT

$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport $TARGETFTPPORT -j
DNAT --to $TARGETIP:$TARGETFTPPORT

$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport $TARGETTELNETPORT -j
DNAT --to $TARGETIP:$TARGETTELNETPORT

The above script is executed in rc.local, once my server boots.

Why should subsequent attempts to permit ports be rejected ?

lokkit does not provide the level of control I need for IP Masquerade etc.
Yes, it is also apparently used by my RH installation, but I have no idea
when.

Quote:> The input rule you have given seems to be rite, but my guess is that it
> gets overwritten by the other rules.

How so ?

Quote:> [Snipped all nice stuff]

>$IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport $TARGETTELNETPORT -j
>DNAT --to $TARGETIP:$TARGETTELNETPORT

>The above script is executed in rc.local, once my server boots.

>Why should subsequent attempts to permit ports be rejected ?

Well, I had problems opening a port adding my rules to the INPUT chain.
Apparrently my rules got overwritten by lokkits rules.

Quote:>lokkit does not provide the level of control I need for IP Masquerade
>etc. Yes, it is also apparently used by my RH installation, but I have
>no idea when.

Cant agree with you more on that lokkit thing. IF you look at the

/etc/sysconfig/iptables. I guess thats where all the rules to lokkit
come from.

Quote:>> The input rule you have given seems to be rite, but my guess is that it
>> gets overwritten by the other rules.

>How so ?

Coz of Lokkit. The following is snip from my /etc/init.d/iptables.

IPTABLES_CONFIG=/etc/sysconfig/iptables

So this points to the iptable rules created by Lokkit. You have to
change it to point to urs. Are you sure ur rules in rc.local get
executed after this one? Maybe yes coz rc.local is the last script that
executed. Maybe you want to verify this.

-V (-:^:-)
--
Remove NOSPAM in the email to reply

[If anyone has any 'issues' with me, they can email me, instead of
resorting to allusions. Thanks]

http://www.icon.co.za/~psheer/book/index.html.gz

forth in comp.os.linux.misc

That is wierd. One would imagine that lokkit's rules would be established
once iptables brings up. Later changes would probably not trigger an
automatic suppression.

Quote:

>>lokkit does not provide the level of control I need for IP Masquerade
>>etc. Yes, it is also apparently used by my RH installation, but I have
>>no idea when.

> Cant agree with you more on that lokkit thing. IF you look at the

> /etc/sysconfig/iptables. I guess thats where all the rules to lokkit
> come from.

Thanks !

I tried adding the rules to that file :

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -i eth0 -s 192.168.0.2 --dport 631
--syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -i eth0 -s 192.168.0.2 --dport 631 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -o eth0 -d 192.168.0.2 --dport 631 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport
67:68 -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 141.213.4.4 --sport 53 -d 0/0 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 141.212.2.75 --sport 53 -d 0/0 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 141.211.1.32 --sport 53 -d 0/0 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 141.213.4.4 --sport 53 -d 0/0 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT

Restarted iptables. No go.

What could be possibly wrong ? Tried commenting out the last two lines, no
help there either.

Quote:>-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -i eth0 -s 192.168.0.2 --dport 631
>--syn -j ACCEPT
>-A RH-Lokkit-0-50-INPUT -p udp -i eth0 -s 192.168.0.2 --dport 631 -j ACCEPT
>-A RH-Lokkit-0-50-INPUT -p udp -o eth0 -d 192.168.0.2 --dport 631 -j ACCEPT

[...]

>Restarted iptables. No go.

>What could be possibly wrong ? Tried commenting out the last two lines,
>no help there either.

Beats me too! Maybe you want to telnet to the port from the comp you are
in first and then other comps in the lan or outside and see what
happens.

telnet 127.0.0.1 631
telnet <urhostname> 631 from other m/cs

If you get anything other than 'connection refused', it means that the
port is open and listening. Doesnt work on udp listening ports tho for
obvious reasons.

Also, you may want to provide the output of 'iptables -L' coz its easy
to read and you can see the rankings of all the rules.

How are you testing if a port is open or not? nmap?

-V (-:^:-)
--
Remove NOSPAM in the email to reply

[If anyone has any 'issues' with me, they can email me, instead of
resorting to allusions. Thanks]

http://www.icon.co.za/~psheer/book/index.html.gz