Hi again! Philippe Vogel <filiaap@freenet.de> wrote on 07/02/2008 06:32:50 PM:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi!
peter.burkard@de.abb.com schrieb: | Hi there. | | My environment: | | * SLES 10.1 with patches | | * VMWare Server 1.05 | | * some virtual XP's | | * SuseFirewall2 with iptables/nat for rdp session | | | My config: | | # ifconfig | | eth0 Link encap:Ethernet HWaddr 00:E0:81:44:89:82 | inet addr:10.193.28.1 Bcast:10.193.28.127 Mask:255.255.255.128 | UP BROADCAST MULTICAST MTU:1500 Metric:1 | RX packets:0 errors:0 dropped:0 overruns:0 frame:0 | TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:1000 | RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) | Interrupt:169 | | eth1 Link encap:Ethernet HWaddr 00:E0:81:44:89:83 | inet addr:192.168.73.1 Bcast:192.168.73.255 Mask:255.255.255.0 | UP BROADCAST MULTICAST MTU:1500 Metric:1 | RX packets:0 errors:0 dropped:0 overruns:0 frame:0 | TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:1000 | RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) | Interrupt:169 | | eth2 Link encap:Ethernet HWaddr 00:0E:0C:AA:AC:32 | inet addr:10.49.26.82 Bcast:10.49.27.255 Mask:255.255.252.0 | UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1 | RX packets:82197 errors:0 dropped:0 overruns:0 frame:0 | TX packets:8840 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:1000 | RX bytes:6646116 (6.3 Mb) TX bytes:10600143 (10.1 Mb) | | lo Link encap:Local Loopback | inet addr:127.0.0.1 Mask:255.0.0.0 | UP LOOPBACK RUNNING MTU:16436 Metric:1 | RX packets:15972 errors:0 dropped:0 overruns:0 frame:0 | TX packets:15972 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:0 | RX bytes:8837810 (8.4 Mb) TX bytes:8837810 (8.4 Mb) | | vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01 | inet addr:192.168.74.1 Bcast:192.168.74.255 Mask:255.255.255.0 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | RX packets:0 errors:0 dropped:0 overruns:0 frame:0 | TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:1000 | RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) | | # iptables -L -t nat | | Chain PREROUTING (policy ACCEPT) | target prot opt source destination | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:mrt | to:192.168.74.100:3389 | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50001 | to:192.168.74.101:3389 | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50002 | to:192.168.74.102:3389 | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50003 | to:192.168.74.103:3389 | DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50004 | to:192.168.74.104:3389 | | Chain POSTROUTING (policy ACCEPT) | target prot opt source destination | MASQUERADE all -- anywhere anywhere | | Chain OUTPUT (policy ACCEPT) | target prot opt source destination | | Some settings of my firewall: | | * FW_DEV_EXT="eth2" | * FW_DEV_INT="vmnet1" | * FW_ROUTE="yes" | * FW_MASQUERADE="yes" | * FW_MASQ_DEV="$FW_DEV_EXT" | * FW_MASQ_NETS="0/0" | * FW_PROTECT_FROM_INT="no" | * FW_SERVICES_REJECT_EXT="0/0,tcp,113" | * FW_SERVICES_EXT_TCP="8080 8222 8333 904 5801 5901 http https ssh" | * FW_FORWARD_MASQ="0/0,192.168.74.100,tcp,50000,3389,10.49.26.181 | 0/0,192.168.74.101,tcp,50001,3389,10.49.26.181 | 0/0,192.168.74.102,tcp,50002,3389,10.49.26.181 | 0/0,192.168.74.103,tcp,50003,3389,10.49.26.181 | 0/0,192.168.74.104,tcp,50004,3389,10.49.26.181" | | My problem: | | Can 't connect to the vXP's via RDP over NAT because of this error message | from SuseFirewall: | | Jul 2 11:08:24 baust-vmsrv01 kernel: SFW2-IN-ILL-TARGET IN=vmnet1 OUT= | MAC=ff:ff:ff:ff:ff:ff:00:0c:29:1f:32:b3:08:00 SRC=192.168.74.100 | DST=192.168.74.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=130 PROTO=UDP | SPT=138 DPT=138 LEN=209 BTW: The "SFW2-IN-ILL-TARGET" is a broadcast to the network (.255) from your server on DEV_INT. | | Any ideas out there to fix this?! Don't underestimate the power of google! searchwords "remote desktop iptables" gives me 3rd result:
http://www.linuxforums.org/forum/linux-networking/51774-remote- desktop-ip-tables-problem.html
This will hopefully be a solution for you.
Following command with maybe additional grep's will help finding the other problems:
less /var/log/SuSEfirewall2.log | grep DROP
Hi Phillipe. I'm just a little confused :-( My NAT rules are as above and my FORWARD chain looks like: LOG tcp -- anywhere 192.168.74.100 limit: avg 3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.74.100 tcp dpt:ms-wbt-server ACCEPT tcp -- 192.168.74.100 anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.74.101 limit: avg 3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.74.101 tcp dpt:ms-wbt-server ACCEPT tcp -- 192.168.74.101 anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.74.102 limit: avg 3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.74.102 tcp dpt:ms-wbt-server ACCEPT tcp -- 192.168.74.102 anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.74.103 limit: avg 3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.74.103 tcp dpt:ms-wbt-server ACCEPT tcp -- 192.168.74.103 anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere 192.168.74.104 limit: avg 3/min burst 5 tcp dpt:ms-wbt-server state NEW LOG level warning tcp-options ip-options prefix `SFW2-FWDext-ACC-REVMASQ ' ACCEPT tcp -- anywhere 192.168.74.104 tcp dpt:ms-wbt-server ACCEPT tcp -- 192.168.74.104 anywhere state RELATED,ESTABLISHED But SWF2 told me the following: Jul 3 09:29:31 baust-vmsrv01 kernel: SFW2-INext-DROP-DEFLT IN=eth2 OUT= MAC=00:0e:0c:aa:ac:32:00:03:e3:8d:d1:20:08:00 SRC=10.49.82.141 DST=10.49.26.82 LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=27042 DF PROTO=TCP SPT=1284 DPT=50000 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204056401010402) - IN and OUT are the same (hä..), the SRC is my desktop, DST the external IP of my VMWare host. I don't know why my rdp requests will be redirected from eht2 to eth2 and then dropped? HELP! Thanks in advance Peter
If you wanna have a log or something else use COMMAND > outputfile to write it to a file.
Best regards
Philippe
- -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift!
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQD1AwUBSGutskNg1DRVIGjBAQLfqQb/cRCeDX3bXUDmhC4+H93VyLS9eFScevhA 4sZUxWJAGRp6UDfhgOTdLb7otJy4QJZOfbvTeYow8iIbAquFHL+dIIo+dJ7e1pqk 5viPQHMl3R3/fDzAvbZidn3U/umS3u5e7yo2GWkPVObEVXV2nj2/eGdi+jEwbyhn 7vuI7R+Bsl/N09nWUcSXKb7a4OJbdR6F+BXd7UILbEjzdNs3BnqOd+u1rE3HI2Gl 6WsTAAJw/QMO80D1vqOEBJCqglagQBXw2wyz3xNMo+yVtr9YarjfCNpvRw0GgXPe 1FR14CnFtWU= =umVN -----END PGP SIGNATURE-----
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org