LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 09-13-2015, 06:37 AM   #1
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Rep: Reputation: Disabled
Iptables on a diskless client


Hello,

After setting up a TFTP/PXE system in my network, I got a working diskless client and I'm trying to setup some iptables rules on it for basic security when it runs.

Problem is, iptables seems to cut all communications with the server and thus, the diskless client is frozen. Is it necessary to setup iptables in this situation? If so, can you help me find out which rules to add/remove?

Here are my current rules:

Code:
#!/bin/sh

iptables -F
iptables -X

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -s 192.168.1.2 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

exit 0
192.168.1.2 is my server's ip, for indication. Thank you in advance.

Last edited by Märk Owen; 09-13-2015 at 06:39 AM.
 
Old 09-14-2015, 04:32 AM   #2
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 875

Rep: Reputation: 282Reputation: 282Reputation: 282
You must put in an allow rule set for the NFS file server before you add any other rules or in your case apply a policy of drop.
 
Old 09-14-2015, 09:28 AM   #3
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Original Poster
Rep: Reputation: Disabled
I changed my rules to this:

Code:
#!/bin/sh

iptables -F
iptables -X

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

iptables -A INPUT -s 192.168.1.2 -j ACCEPT
iptables -A FORWARD -s 192.168.1.2 -j ACCEPT
iptables -A FORWARD -d 192.168.1.2 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

exit 0
It works in itself BUT, since my diskless client needs to load Xorg, it seems to hang there (The GUI, I still have access to the rest of the system). No idea why.
 
Old 09-14-2015, 04:06 PM   #4
wildwizard
Member
 
Registered: Apr 2009
Location: Oz
Distribution: slackware64-14.0
Posts: 875

Rep: Reputation: 282Reputation: 282Reputation: 282
Haven't looked at what Xorg does on the network side for a while but you could turn the firewall off and while X is running you could use lsof to find out what it's doing. Then you could tweak your rules to match.
 
Old 09-15-2015, 02:46 PM   #5
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,046

Rep: Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632
Exactly where is the disk image running from by the way? Is it totally in ram on the client?
 
Old 09-16-2015, 01:01 PM   #6
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Original Poster
Rep: Reputation: Disabled
The system is on the TFTP/NFS server. This is my first installation of this type, I don't know if it's fully loaded into the client's ram (no other drive on the client).
 
Old 09-16-2015, 07:36 PM   #7
jefro
Moderator
 
Registered: Mar 2008
Posts: 22,046

Rep: Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632Reputation: 3632
Opps, that didn't matter. It is the iptables for either or both ipv4/6 to lan issue.
 
Old 10-11-2015, 05:15 AM   #8
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Original Poster
Rep: Reputation: Disabled
Solved

I found the issue, I put the loopback interface rule BEFORE the DROP policies and it allowed X to work, so, problem solved. I'm posting the final iptables script for anyone who could need it in the future:

Code:
#!/bin/sh

iptables -F
iptables -X

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

iptables -A INPUT -s 192.168.1.2 -j ACCEPT
iptables -A FORWARD -s 192.168.1.2 -j ACCEPT
iptables -A FORWARD -d 192.168.1.2 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

exit 0

Last edited by Märk Owen; 10-11-2015 at 05:19 AM.
 
Old 10-11-2015, 05:23 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by Märk Owen View Post
I found the issue, I put the loopback interface rule BEFORE the DROP policies and it allowed X to work, so, problem solved. I'm posting the final iptables script for anyone who could need it in the future
Thanks for posting. Please mark thread "solved" as well.
 
Old 10-11-2015, 11:27 AM   #10
Märk Owen
LQ Newbie
 
Registered: Nov 2014
Posts: 22

Original Poster
Rep: Reputation: Disabled
Yes, I tried to but it seems I'm not allowed to edit my original post because the EDIT button's missing.
 
Old 10-11-2015, 03:00 PM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
No, doesn't require editing your OP: there should be a link "mark thread solved" below this threads top header to the right.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXC in Diskless Client sunveer Linux - Software 2 09-29-2014 03:34 AM
Diskless client sheejanarayanan Linux - Newbie 1 06-20-2009 09:55 PM
Diskless Client jnreddy Linux - Server 0 05-21-2009 07:55 AM
how to setup thin client just for telnet or ssh client use using boot diskless PXE. hocheetiong Linux - Newbie 3 05-21-2008 07:02 PM
How can i add a diskless client ZAMO Linux - Server 3 05-07-2007 10:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration