-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! peter.burkard@de.abb.com schrieb: | Hi there. | | My environment: | | * SLES 10.1 with patches | | * VMWare Server 1.05 | | * some virtual XP's | | * SuseFirewall2 with iptables/nat for rdp session | | | My config: | | # ifconfig | | eth0 Link encap:Ethernet HWaddr 00:E0:81:44:89:82 | inet addr:10.193.28.1 Bcast:10.193.28.127 Mask:255.255.255.128 | UP BROADCAST MULTICAST MTU:1500 Metric:1 | RX packets:0 errors:0 dropped:0 overruns:0 frame:0 | TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:1000 | RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) | Interrupt:169 | | eth1 Link encap:Ethernet HWaddr 00:E0:81:44:89:83 | inet addr:192.168.73.1 Bcast:192.168.73.255 Mask:255.255.255.0 | UP BROADCAST MULTICAST MTU:1500 Metric:1 | RX packets:0 errors:0 dropped:0 overruns:0 frame:0 | TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:1000 | RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) | Interrupt:169 | | eth2 Link encap:Ethernet HWaddr 00:0E:0C:AA:AC:32 | inet addr:10.49.26.82 Bcast:10.49.27.255 Mask:255.255.252.0 | UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 | RX packets:82197 errors:0 dropped:0 overruns:0 frame:0 | TX packets:8840 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:1000 | RX bytes:6646116 (6.3 Mb) TX bytes:10600143 (10.1 Mb) | | lo Link encap:Local Loopback | inet addr:127.0.0.1 Mask:255.0.0.0 | UP LOOPBACK RUNNING MTU:16436 Metric:1 | RX packets:15972 errors:0 dropped:0 overruns:0 frame:0 | TX packets:15972 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:0 | RX bytes:8837810 (8.4 Mb) TX bytes:8837810 (8.4 Mb) | | vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01 | inet addr:192.168.74.1 Bcast:192.168.74.255 Mask:255.255.255.0 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | RX packets:0 errors:0 dropped:0 overruns:0 frame:0 | TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:1000 | RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) | | # iptables -L -t nat | | Chain PREROUTING (policy ACCEPT) | target prot opt source destination | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:mrt | to:192.168.74.100:3389 | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50001 | to:192.168.74.101:3389 | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50002 | to:192.168.74.102:3389 | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50003 | to:192.168.74.103:3389 | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50004 | to:192.168.74.104:3389 | | Chain POSTROUTING (policy ACCEPT) | target prot opt source destination | MASQUERADE all -- anywhere anywhere | | Chain OUTPUT (policy ACCEPT) | target prot opt source destination | | Some settings of my firewall: | | * FW_DEV_EXT="eth2" | * FW_DEV_INT="vmnet1" | * FW_ROUTE="yes" | * FW_MASQUERADE="yes" | * FW_MASQ_DEV="$FW_DEV_EXT" | * FW_MASQ_NETS="0/0" | * FW_PROTECT_FROM_INT="no" | * FW_SERVICES_REJECT_EXT="0/0,tcp,113" | * FW_SERVICES_EXT_TCP="8080 8222 8333 904 5801 5901 http https ssh" | * FW_FORWARD_MASQ="0/0,192.168.74.100,tcp,50000,3389,10.49.26.181 | 0/0,192.168.74.101,tcp,50001,3389,10.49.26.181 | 0/0,192.168.74.102,tcp,50002,3389,10.49.26.181 | 0/0,192.168.74.103,tcp,50003,3389,10.49.26.181 | 0/0,192.168.74.104,tcp,50004,3389,10.49.26.181" | | My problem: | | Can 't connect to the vXP's via RDP over NAT because of this error message | from SuseFirewall: | | Jul 2 11:08:24 baust-vmsrv01 kernel: SFW2-IN-ILL-TARGET IN=vmnet1 OUT= | MAC=ff:ff:ff:ff:ff:ff:00:0c:29:1f:32:b3:08:00 SRC=192.168.74.100 | DST=192.168.74.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=130 PROTO=UDP | SPT=138 DPT=138 LEN=209 BTW: The "SFW2-IN-ILL-TARGET" is a broadcast to the network (.255) from your server on DEV_INT. | | Any ideas out there to fix this?! Don't underestimate the power of google! searchwords "remote desktop iptables" gives me 3rd result: http://www.linuxforums.org/forum/linux-networking/51774-remote-desktop-ip-ta... This will hopefully be a solution for you. Following command with maybe additional grep's will help finding the other problems: less /var/log/SuSEfirewall2.log | grep DROP If you wanna have a log or something else use COMMAND > outputfile to write it to a file. Best regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBSGutskNg1DRVIGjBAQLfqQb/cRCeDX3bXUDmhC4+H93VyLS9eFScevhA 4sZUxWJAGRp6UDfhgOTdLb7otJy4QJZOfbvTeYow8iIbAquFHL+dIIo+dJ7e1pqk 5viPQHMl3R3/fDzAvbZidn3U/umS3u5e7yo2GWkPVObEVXV2nj2/eGdi+jEwbyhn 7vuI7R+Bsl/N09nWUcSXKb7a4OJbdR6F+BXd7UILbEjzdNs3BnqOd+u1rE3HI2Gl 6WsTAAJw/QMO80D1vqOEBJCqglagQBXw2wyz3xNMo+yVtr9YarjfCNpvRw0GgXPe 1FR14CnFtWU= =umVN -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org