Cups and Firewall

mousie · 10-26-2004, 12:45 PM

Hi, I'm using Slackware 10.0 and cups 1.1.20

I've recently set up cups to work for a printer connected to my linux box. I am not sharing the printer, I plan to only use it from my linux box. I am able to print fine using "lpr <filename>" in the command line with my firewall accepting all input packets. However once I turn my firewall on the system hangs and does not print anything. I opened the port 631 for cups, however that does not seem to help. Below is my firewall rules. Can someone please help me find what is missing? Thanks.

#(1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (3) INPUT chain rules

#Rules for incoming packets from the internet
#Packets for established connections
iptables -A INPUT -p ALL -d 192.168.0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT

#TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j ACCEPT
iptables -A INPUT -p TCP -i eth0 -s 127.0.0.1 --destination-port 631 -j ACCEPT
#UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 127.0.0.1 --destination-port 631 -j ACCEPT

# (5) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.101 -j ACCEPT

TruckStuff · 10-26-2004, 01:35 PM

You're not allowing packets out with a destination of localhost (127.0.0.1). Try the following:

Code:

# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Always allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# (3) INPUT chain rules

#Rules for incoming packets from the internet
#Packets for established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -p ALL -d 192.168.0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT

#TCP rules
iptables -A INPUT -p TCP -i eth0 --destination-port 22 -j ACCEPT  # Allow SSH server connections
iptables -A INPUT -p TCP -i eth0 --destination-port 80 -j ACCEPT  # Allow HTTP server connections
#UDP rules
iptables -A INPUT -p UDP -i eth0 --destination-port 53 -j ACCEPT

# (5) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
#
# COMMENT: This is a silly rule.  You're allowing everything out of your computer, regardless of what it is.  
#  
iptables -A OUTPUT -p ALL -s 192.168.0.101 -j ACCEPT
# A Better idea is to allow specific services out:
iptables -A OUTPUT -p tcp -dport http -m state --state NEW -j ACCEPT  # Allow HTTP client connections.
iptables -A OUTPUT -p tcp -dport ssh -m state --state NEW -j ACCEPT  # allow SSH client connections, etc.

mousie · 10-26-2004, 01:53 PM

Ah, I didn't notice that. I tried the rules you posted and it works fine. However, my one concern is with the loopback rules when i do iptables -L it shows for input and output target ACCEPT prot all opt -- source anywhere destination anywhere. Doesn't that mean that I am now accepting all connections from anwhere to anywhere? Thanks.

TruckStuff · 10-26-2004, 06:36 PM

Quote:

Originally posted by mousie
Doesn't that mean that I am now accepting all connections from anwhere to anywhere? Thanks.

No, that means that you are now accepting all connections on the loopback device, i.e. 127.0.0.1. No router in the world will route a packet with that destination address, and even if they did, the loopback device is protected by the kernel (I think its the kernel anyways) and is only accessible to the localhost.

mousie · 10-26-2004, 09:42 PM

O, perhaps they should clarify that in the "iptables -L". Well, thanks a lot for your help. CUPS works perfectly now.