Re: [leaf-user] portforward with ipchains
On Tue, 2002-06-04 at 06:37, Jaime Goncalves wrote: > Hi I'm trying to rdp into my win2k server behind my lrp box this is the > command to open the port on the lrp box from the command line "ipchains > -A forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d xxx.xxx.xxx.xxx 3389 -j > ACCEPT" > can any one see a problem with the syntax I'm not sure what rdp is, but I wouldn't limit my source port to 3389. It seems unlikely that your source port will always be 3389. -- Joe ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] portforward with ipchains
RDP is remote desktop for windows and yes it always listens on port 3389 Jaime [EMAIL PROTECTED] writes: >On Tue, 2002-06-04 at 06:37, Jaime Goncalves wrote: >> Hi I'm trying to rdp into my win2k server behind my lrp box this is the >> command to open the port on the lrp box from the command line "ipchains >> -A forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d xxx.xxx.xxx.xxx 3389 -j >> ACCEPT" >> can any one see a problem with the syntax > >I'm not sure what rdp is, but I wouldn't limit my source port to 3389. >It seems unlikely that your source port will always be 3389. > >-- Joe > >___ > >Don't miss the 2002 Sprint PCS Application Developer's Conference >August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > >leaf-user mailing list: [EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user >SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] portforward with ipchains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Jun 2002 at 6:49, Joe Copeland wrote: > On Tue, 2002-06-04 at 06:37, Jaime Goncalves wrote: > > Hi I'm trying to rdp into my win2k server behind my lrp box this is > > the command to open the port on the lrp box from the command line > > "ipchains -A forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d > > xxx.xxx.xxx.xxx 3389 -j ACCEPT" can any one see a problem with the > > syntax > > I'm not sure what rdp is, but I wouldn't limit my source port to 3389. > It seems unlikely that your source port will always be 3389. RDP is Remote Desktoip Protocol, what MS uses for their Terminal Services. And indeed, opening only 3389 incoming will work; I just set up my Pix at work yesterday to allow access to our TS server, and I only needed to open TCP 3389. MS doesn't send via a random high port, like some unix services do, so specifying 3389 as a source port will probably be fine. I'm told that there are also times when it will use TCP 1494, but I don't know that for a fact. I do know we're doing production work specifying 3389. -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 -- QDPGP 2.68 Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBPPzKiZq0HvZapbzfEQLcbgCg4rjhNTM1jBZhppcfLMRPlBGIkl4An2kU PrfuaBlMqLuemqL1RUzPLST0 =dqVB -END PGP SIGNATURE- ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] portforward with ipchains
I prefer to use VNC tunneled thru an SSH connection to manage my remote windoze boxes. something like On my gateway box.. ssh -g -L 5905:192.168.1.1:5900 destination.router.com Where 192.168.1.1 is the IP of the Win2000 box and destination.router is the gateway on the other end. Then VNC to my gateway box port 5905.. Bingo! Safe, secure, encrypted and no extra ports to have open! On Tue, 4 Jun 2002, Michael Leone wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > > On 4 Jun 2002 at 6:49, Joe Copeland wrote: > > > On Tue, 2002-06-04 at 06:37, Jaime Goncalves wrote: > > > Hi I'm trying to rdp into my win2k server behind my lrp box this is > > > the command to open the port on the lrp box from the command line > > > "ipchains -A forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d > > > xxx.xxx.xxx.xxx 3389 -j ACCEPT" can any one see a problem with the > > > syntax > > > > I'm not sure what rdp is, but I wouldn't limit my source port to 3389. > > It seems unlikely that your source port will always be 3389. > > RDP is Remote Desktoip Protocol, what MS uses for their Terminal > Services. And indeed, opening only 3389 incoming will work; I just > set up my Pix at work yesterday to allow access to our TS server, and > I only needed to open TCP 3389. MS doesn't send via a random high > port, like some unix services do, so specifying 3389 as a source port > will probably be fine. > > I'm told that there are also times when it will use TCP 1494, but I > don't know that for a fact. I do know we're doing production work > specifying 3389. > > > -BEGIN PGP SIGNATURE- > Version: PGP 7.0.4 -- QDPGP 2.68 > Comment: http://community.wow.net/grt/qdpgp.html > > iQA/AwUBPPzKiZq0HvZapbzfEQLcbgCg4rjhNTM1jBZhppcfLMRPlBGIkl4An2kU > PrfuaBlMqLuemqL1RUzPLST0 > =dqVB > -END PGP SIGNATURE- > > ___ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > -- Timothy Burt Internet Specialist ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] portforward with ipchains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Jun 2002 at 6:49, Joe Copeland wrote: > On Tue, 2002-06-04 at 06:37, Jaime Goncalves wrote: > > Hi I'm trying to rdp into my win2k server behind my lrp box this is > > the command to open the port on the lrp box from the command line > > "ipchains -A forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d > > xxx.xxx.xxx.xxx 3389 -j ACCEPT" can any one see a problem with the > > syntax > > I'm not sure what rdp is, but I wouldn't limit my source port to 3389. > It seems unlikely that your source port will always be 3389. RDP is Remote Desktoip Protocol, what MS uses for their Terminal Services. And indeed, opening only 3389 incoming will work; I just set up my Pix at work yesterday to allow access to our TS server, and I only needed to open TCP 3389. MS doesn't send via a random high port, like some unix services do, so specifying 3389 as a source port will probably be fine. I'm told that there are also times when it will use TCP 1494, but I don't know that for a fact. I do know we're doing production work specifying 3389. -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 -- QDPGP 2.68 Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBPPzKipq0HvZapbzfEQKscgCeLxEcJLXO5DxQPGgfeEHVQ1VHWG4AoNgX 2kYENJo9ssefNExCT5nylCQD =hxvS -END PGP SIGNATURE- ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] portforward with ipchains
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 4 Jun 2002 at 7:36, T Burt wrote: > > I prefer to use VNC tunneled thru an SSH connection to manage my > remote windoze boxes. Actually, TS is on the order of about a THOUSAND times faster than VNC, even without SSH. :-) (a slight exaggeration; I do use VNC to control my Windows boxes, and there is no sane comparison - for speed - between RDP and VNC. Also, RDP is like getting a *separate* virtual console in Linux; it is not remote control, like VNC is. It can be, if you install it that way, but usually is meant as a whole VM session) Security may be a different issue. -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 -- QDPGP 2.68 Comment: http://community.wow.net/grt/qdpgp.html iQA/AwUBPPzShZq0HvZapbzfEQIC2QCfb0N3uprhsg4u1e3Q1POY8K363oUAnRTk blrIKyeJB4ZoWipSgupiu4hk =tBU+ -END PGP SIGNATURE- ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] portforward with ipchains
At 09:37 AM 6/4/02 -0400, Jaime Goncalves wrote: >Hi I'm trying to rdp into my win2k server behind my lrp box this is the >command to open the port on the lrp box from the command line "ipchains >-A forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d xxx.xxx.xxx.xxx 3389 -j >ACCEPT" >can any one see a problem with the syntax The syntax looks fine. But in choosing to conceal the IP addresses involved, you left open the question of whether this setup is a simple router or a NAT'ing router. If the LEAF router is NAT'ing, you'll need to add a port-forwarding entry (via ipmasqadm) instead of this ipchains entry. And in any case, you may need to modify the input chain to ACCEPT incoming traffic from or to (or both) port 3389. (And since I am unacqquainted with the rdp service, I don't actuaally know that it can be made to work through a NAT'd connection at all.) Oh, one qualification on my syntax comment ... you are adding (-A) this rule rather than inserting (-I ##) it. This means it gets put at the *end* of the forward chain. Since packets pass through the rules of a chain in order until they hit a matching one, it is possible that some rule prior to the one you are creating will catch and act on the packets. This is why a chain's rules have to be evaluated as a set, not singly, in isolation. If this really was just a question about the syntax of ipchains commends, then you are set. If you are experiencing trouble with the hookup, though (as I suspect), you'll probably need to post a more complete trouble descriptnion. See the "SR FAQ" link below for help if you need to do this. -- ---"Never tell me the odds!"-- Ray Olszewski-- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] portforward with ipchains
> > On 4 Jun 2002 at 6:49, Joe Copeland wrote: > > > On Tue, 2002-06-04 at 06:37, Jaime Goncalves wrote: > > I'm told that there are also times when it will use TCP 1494, but I > don't know that for a fact. I do know we're doing production work > specifying 3389. > Port 1494 is for Citrix ICA Stefaan ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] portforward with ipchains
There is a FAQ on this here: http://sourceforge.net/docman/display_doc.php?docid=4427&group_id=13751 I use it to access my box currently. Let me know if it is just the one port. I think Terminal Server uses 3389 and Citrix uses 1494. I probably need to update the FAQ. -sp On Tue, 04 June 2002, Ray Olszewski wrote > > At 09:37 AM 6/4/02 -0400, Jaime Goncalves wrote: > >Hi I'm trying to rdp into my win2k server behind my lrp box this is the > >command to open the port on the lrp box from the command line "ipchains > >-A forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d xxx.xxx.xxx.xxx 3389 -j > >ACCEPT" > >can any one see a problem with the syntax > > > The syntax looks fine. > > But in choosing to conceal the IP addresses involved, you left open the > question of whether this setup is a simple router or a NAT'ing router. If > the LEAF router is NAT'ing, you'll need to add a port-forwarding entry (via > ipmasqadm) instead of this ipchains entry. And in any case, you may need to > modify the input chain to ACCEPT incoming traffic from or to (or both) port > 3389. (And since I am unacqquainted with the rdp service, I don't actuaally > know that it can be made to work through a NAT'd connection at all.) > > Oh, one qualification on my syntax comment ... you are adding (-A) this > rule rather than inserting (-I ##) it. This means it gets put at the *end* > of the forward chain. Since packets pass through the rules of a chain in > order until they hit a matching one, it is possible that some rule prior to > the one you are creating will catch and act on the packets. This is why a > chain's rules have to be evaluated as a set, not singly, in isolation. > > If this really was just a question about the syntax of ipchains commends, > then you are set. If you are experiencing trouble with the hookup, though > (as I suspect), you'll probably need to post a more complete trouble > descriptnion. See the "SR FAQ" link below for help if you need to do this. > -- > ---"Never tell me the > odds!"-- > Ray Olszewski -- Han Solo > Palo Alto, California, USA[EMAIL PROTECTED] > --- > > > ___ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] portforward with ipchains
> At 09:37 AM 6/4/02 -0400, Jaime Goncalves wrote: > >Hi I'm trying to rdp into my win2k server behind my lrp box this is > > the command to open the port on the lrp box from the command line > > "ipchains -A forward -p tcp -s xxx.xxx.xxx.xxx 3389 -d > > xxx.xxx.xxx.xxx 3389 -j ACCEPT" > >can any one see a problem with the syntax Here's a FAQ for port-forwarding with Dachstein that doesn't appear to be on the FAQ menu: http://sourceforge.net/docman/display_doc.php?docid=10418&group_id=13751 -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] portforward with ipchains
Thanks every one for the help. Got it working the command is "Ipmasqadm portfw -a -P tcp -L xxx.xxx.xxx.xxx 3389 -R xxx.xxx.xxx.xxx 3389" and port 3389 is the only port needed for RDP to work. Regards Jaime ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html