Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-15-2006, 08:33 AM
|
#1
|
Member
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237
Rep:
|
MS SBS 2003 VPN Access
I have an unusual network set-up. It is:
1. Application and MS Exchange Email Server is a Dell Poweredge with an MS SBS 2003 OS
2. The Web Server is a plain box system with a Debian OS loaded with Apache 2
3. Our Firewall is a plain box loaded with an outstanding application called g::Scarlet operating on the Snap Linux OS, Googgun Technologies .
I need to find out what I have set-up wrong with the system for VPN access to the SBS 2003 Application Server.
I can access the Internal MS Remote Access Menu and accomplish the Outlook Web Access with no problem. But, I am being blocked from accessing the VPN Desktop functions, which I can access inside of the firewall. I have been reading about and adjusting the iptables to allow this access but apparently I am missing one important piece of information on, I believe, which IP Ports I have failed to open on the firewall to allow me access to the VPN Service.
So, I finally stopped destroying the iptable and am asking for some guidance. Is the problem with accessing the MS VPN caused by the iptable or something else I am not looking at?
Here is what my iptable currently looks like:
Code:
*filter
:INPUT ACCEPT [2040257:296525081]
:FORWARD ACCEPT [2882733:2945858560]
:OUTPUT ACCEPT [2374242:322517324]
:ACCEPT_LOG - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -i eth1 -d ***.***.***.26/32 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1784 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 88 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 47 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 115 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1024 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j LOG --log-level 6
-A INPUT -p tcp -m tcp --dport 110 -j LOG --log-level 6
-A FORWARD -i lo -o lo -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.2.0/255.255.255.0 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -d 192.168.2.***/32 -j ACCEPT_LOG
-A FORWARD -p tcp -m tcp --dport 110 -d 192.168.2.***/32 -j ACCEPT_LOG
-A FORWARD -p udp -m udp --dport 53 -d 192.168.2.***/32 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 53 -d 192.168.2.***/32 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 80 -d 192.168.2.***/32 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 88 -d 192.168.2.***/32 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 443 -d 192.168.2.***/32 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 115 -d 192.168.2.***/32 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3306 -d 169.254.173.***/32 -j ACCEPT
-A ACCEPT_LOG -j LOG --log-level 6 --log-prefix "FWDAL "
-A ACCEPT_LOG -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [7470054:1600554108]
:POSTROUTING ACCEPT [322644:18528680]
:OUTPUT ACCEPT [212998:12777794]
-A PREROUTING -p tcp -m tcp --dport 25 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A PREROUTING -p tcp -m tcp --dport 110 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
# 25
-A PREROUTING -p tcp -m tcp --dport 80 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A PREROUTING -p tcp -m tcp --dport 443 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A PREROUTING -p tcp -m tcp --dport 88 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A PREROUTING -p tcp -m tcp --dport 47 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A PREROUTING -p tcp -m tcp --dport 1723 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A PREROUTING -p tcp -m tcp --dport 115 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A PREROUTING -p tcp -m tcp --dport 3306 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
# 80
-A PREROUTING -p tcp -m tcp --dport 53 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A PREROUTING -p udp -m udp --dport 53 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A PREROUTING -p tcp -m tcp --dport 135 -i eth1 -d ***.***.***.26/32 -j DNAT --to-destination 192.168.2.***
-A POSTROUTING -s 192.168.2.0/255.255.255.0 -o eth1 -j SNAT --to-source ***.***.***.26
COMMIT
*mangle
:PREROUTING ACCEPT [90720160:57271172026]
:INPUT ACCEPT [3531056:429541889]
:FORWARD ACCEPT [82762839:55462121549]
:OUTPUT ACCEPT [2382870:326087582]
:POSTROUTING ACCEPT [85145581:55788197821]
COMMIT
Any assistance will be greatly appreciated.
|
|
|
09-17-2006, 05:38 PM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by AndeAnderson
Is the problem with accessing the MS VPN caused by the iptable
|
this can be determined by looking at your log file while the problem occurs... see if you can spot any necessary packets getting filtered... you could also determine whether it's an iptables issue by replacing your rules with more liberal ones to see if the problem goes away like that... once you are sure it's an iptables issue, then proceed to adjust your rules as needed...
BTW, why are your policies set to ACCEPT??
BTW2: you don't need to censor IPs that start with 192...
BTW3: you've got a lot of PREROUTING rules that coincide with INPUT rules... not sure what your intentions with that are, but remember that once a packet gets sent to DNAT, it's not going to hit the INPUT chain...
Last edited by win32sux; 09-17-2006 at 05:47 PM.
|
|
|
09-19-2006, 01:30 PM
|
#3
|
Member
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237
Original Poster
Rep:
|
Log Files
Thanks for the input.
The rules are messed up because of my attempts to allow VPN connectivity. I have tried many different variations and ports.
I am pretty sure there is a specific port I need to have open for the MS SBS 2003 VPN access, but have been unable to locate that information either through MS or third party documentation.
What do you mean by: "BTW2: you don't need to censor IPs that start with 192..." ?
How could I "this can be determined by looking at your log file while the problem occurs... see if you can spot any necessary packets getting filtered..." while off site? Would puTTY allow me to do this? Inside the firewall I have no problem with doing a VPN connection to the Server.
|
|
|
09-19-2006, 07:07 PM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by AndeAnderson
What do you mean by: "BTW2: you don't need to censor IPs that start with 192..." ?
|
it means that you don't need to do things like this: you can just put the complete IP... in fact it's better if you DO put the complete IP cuz it provides a lot more clarity... it's not a security concern since 192.* IPs don't get routed on the Internet...
Quote:
How could I "this can be determined by looking at your log file while the problem occurs... see if you can spot any necessary packets getting filtered..." while off site?
|
by tailing your logfile... for example:
Code:
tail -f /var/log/syslog
Quote:
Would puTTY allow me to do this? Inside the firewall I have no problem with doing a VPN connection to the Server.
|
yes, anything from which you can get a command-line will let you do this...
|
|
|
09-22-2006, 07:38 AM
|
#5
|
Member
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237
Original Poster
Rep:
|
Thank you for your patience and instruction.
I am only here 2 days a week and so it is a little hard to keep things moving sometimes. Another reason for learning how to work from off-site.
|
|
|
09-22-2006, 09:52 AM
|
#6
|
LQ Guru
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Rep:
|
I see you are trying to permit PPTP traffic through, is that the method used for youtr VPN ? MS has 2.. PPTP, and L2TP/IPSec
PPTP traffic uses TCP port 1723 to create and maintain the connection and IP protocol 47 to send data.
L2TP/IPSec traffic uses UDP ports 500 and 4500 to create and maintain the connection and IP protocol 50 to send data.
Configure your firewall to allow these types of traffic for the VPN method you are using, to and from your VPN server.
Virtual Private Networking with Windows 2000: Deploying Remote Access VPNs
Appendix A: Configuring Firewalls with a Windows 2000 VPN Server
http://www.microsoft.com/technet/pro...ndeploy05.mspx
Hope that helps..
Last edited by farslayer; 09-22-2006 at 09:56 AM.
|
|
|
10-04-2006, 02:16 PM
|
#7
|
Member
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237
Original Poster
Rep:
|
MS VPN IP Port Information
Thanks farslayer,
The linked information is Great! Plus, I liked seeing you actually post the IP Port numbers instead of just saying "use the VPN IPs" as I have seen in other replies.
I was trying to set-up a L2TP/IPSec VPN and had given up, looking for any VPN connection. I had tried port 1723 with no success and a MS tech support person, in another forum, said that the IP Ports 4125 and 443 had to be open for the SBS 2003 to allow a VPN connection.
Also, I was hoping to find someone willing to help me to repair my iptables, since I messed them up trying to get the VPN working.
Anyway, Again Thanks for the information.
BTW: This is my second attempt to post this reply. When I attempted to post the first reply I was redirected to URL: http://www.usenetmonster.com/index.asp
|
|
|
10-04-2006, 05:40 PM
|
#8
|
LQ Guru
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Rep:
|
So from your post I'm not sure if you got it working or not..
Glad you found the provided information helpful.
I'm no iptables guru so I'll leave that task to someone else
Yes that's an odd url to be directed to.. Wierdness
|
|
|
10-06-2006, 07:57 AM
|
#9
|
Member
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237
Original Poster
Rep:
|
Iptables
No. I didn't get a chance to work on the iptables.
I spent the day getting a replacement Cingular Smart Phone set-up to receive email. I have spent about 10 hours on the phone with their tech support in the last couple of weeks.
I should be able to try out the changes this weekend.
|
|
|
10-06-2006, 08:56 AM
|
#10
|
Member
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227
Rep:
|
it is not port 47 but -p GRE in iptables..
# cat /etc/protocols |grep 47
btw ur rules are so haphazard.. u better do some reading on netfilter
http://netfilter.org/documentation/
and why don't u use OpenVPN with key authentication.
http://brneurosci.org/linuxsetup71.html
Last edited by ~=gr3p=~; 10-06-2006 at 09:02 AM.
|
|
|
10-06-2006, 09:12 AM
|
#11
|
Member
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237
Original Poster
Rep:
|
Reading about rules
You are correct. My rules are now haphazard, but I lack the basic understanding and comprehension on how to set-up and use the rules.
I have read and researched all I could find about iptables and rules. Unfortunately, some of the information which is clear to the people who wrote them is not clear to me. I have been trying to grasp the basics of rules and iptables for a long time now and it continues to elude me. That is why I posted in this forum asking for help with them.
I have been to the documentation you have listed and it failed to clear up my confusion about iptables and rules.
For example, I do not know what you are talking about when you said "it is not port 47 but -p GRE in iptables.."
If it is not port 47 then what is it? What is "-p GRE" in the iptables?
One basic question I have not found an answer for is:
Do I have to have a rule for the incoming port in both the filter and NAT rules? In some of the examples I find them duplicated and in other examples they are completely different.
Is that because the different flavors of Linux have different requirements for their iptables?
|
|
|
10-06-2006, 02:45 PM
|
#12
|
Member
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227
Rep:
|
Quote:
Originally Posted by AndeAnderson
If it is not port 47 then what is it? What is "-p GRE" in the iptables?
|
iptables -A INPUT -p GRE -j ACCEPT
or if doing port forwading:
-A PREROUTING -i eth1 -d ***.***.***.26 -p GRE -j DNAT --to-destination 192.168.2.***
iptables is very powerful and with patch-o-atic it rocks..it will be difficult to understand if ur basic networking concepts are not clear.
u shuld dedicate some time readingtutorial like say this one..if u really want to get the best out of iptables
http://iptables-tutorial.frozentux.n...-tutorial.html
there are some really good scripts available which u can refer for learning purposes:
http://rocky.eld.leidenuniv.nl/
all the best with ur script
Last edited by ~=gr3p=~; 10-06-2006 at 02:50 PM.
|
|
|
10-06-2006, 06:23 PM
|
#13
|
LQ Guru
Registered: Oct 2005
Location: Northeast Ohio
Distribution: linuxdebian
Posts: 7,249
Rep:
|
Look at it this way..
there a wall three restroom doors (ports).
a Mens a Ladies and a Handicapped.
each of these restrooms doors represents a PORT
Each person is a different protocol a guy, a lady, and a person in a wheelchair
Lets say protocol 47 (GRE) is a guy
according to the rules a Guy may use the mens room.
so the rule on the mens room states to allow the guy to pass through this port but not the lady or the person in the wheelchair..
basically GRE is a protocol used by a specific application. so the rule says Yes this door is open and unlocked but ONLY for this specific protocol and not any others..
ports are just connection points pretty much any protocol can be configured to use any port, so the ability to secure a port based on the protocol type increases the granularity of how tightly your firewall can be configured.
I sure hope that helped a little.. a crappy analogy but hey what can I say..
|
|
|
10-06-2006, 11:21 PM
|
#14
|
Member
Registered: Feb 2005
Location: ~h3av3n~
Distribution: RHEL 4, Fedora Core 3,6,7 Centos 5, Ubuntu 7.04
Posts: 227
Rep:
|
^^ hehe good explanation there
@ Anderson,
you may also play with:
http://www.fwbuilder.org/
|
|
|
10-10-2006, 08:35 AM
|
#15
|
Member
Registered: Feb 2005
Location: Pennsylvania
Distribution: Debian (maybe)
Posts: 237
Original Poster
Rep:
|
Thanks for the input. The idea of "Protocols" just adds a new level to try to grasp. I find nothing in the rules / iptables which I listed in my first post that have anything to do with specific protocols, unless you are talking about the tcp and udp settings. The firewall GUI in my appliance doesn't provide for selecting protocols by number or acronym.
I will read the information at links provided and try to get a better understanding.
|
|
|
All times are GMT -5. The time now is 08:54 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|