Re: [Masq] ipchains problems

Tue, 13 Feb 2001 20:03:58 -0800 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


Ashley M. Kirchner wrote:

>     Setup:
> 
>     I have one server (204.144.132.162) running an X backup application,
> which is displayed on a different machine (206.168.220.52).  This part
> works.
> 
>     The actual backup software, accesses the drives on the both the
> local machine, as well as the remote (display) one (through port 617),
> however, it can't get there.
> 
>     I have the following rules setup on the backup server:
> 
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $SECUREHOST5 -d
> $EXTIP 617
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p tcp -s $SECUREHOST5 -d
> $EXTIP 617
> 
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -d $SECUREHOST5 -s
> $EXTIP 617
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p tcp -d $SECUREHOST5 -s
> $EXTIP 617
> 
>    $EXTIF: eth0
>    $EXTIP: 204.144.132.162
>    $SECUREHOST5: 206.168.220.52
>
>     However, I get the following in my logs on the backup server:
> 
> Packet log: output REJECT eth0 PROTO=6 204.144.132.162:1015
> 206.168.220.52:617 L=60 S=0x00 I=40810 F=0x0000 T=64 SYN (#68)
> 
>     And it can't access the drives.
> 
>     What needs to be changed?  (NOTE: there are no rules running on the
> other machine...at all - I know, bad idea)
> 
>     AMK4

replace the numbers in the log with your symbolic names and
you get:

  output -p tcp -s $EXTIP 1024 -d $SECUREHOST5 617

but your output rules allow:

  output -p tcp -s $EXTIP 617  -d $SECUREHOST5

in other words, the source port of the outgoing packets are
ephemeral ports, not 617 like you thought. tcpdump would
have told you this.

the last two rules should probably be:

  ipchains -A output -j ACCEPT -i $EXTIF -p udp -d $SECUREHOST5 617 -s $EXTIP
  ipchains -A output -j ACCEPT -i $EXTIF -p tcp -d $SECUREHOST5 617 -s $EXTIP

raf

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to