Mailinglist Archive: opensuse-security (50 mails)

< Previous Next >
Re: [opensuse-security] SFW2-IN-ILL-TARGET IN=vmnet1 prevents my RDP Nat from working
  • From: Philippe Vogel <filiaap@xxxxxxxxxx>
  • Date: Wed, 02 Jul 2008 18:32:50 +0200
  • Message-id: <486BADB2.1090209@xxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

peter.burkard@xxxxxxxxxx schrieb:
| Hi there.
|
| My environment:
|
| * SLES 10.1 with patches
|
| * VMWare Server 1.05
|
| * some virtual XP's
|
| * SuseFirewall2 with iptables/nat for rdp session
|
|
| My config:
|
| # ifconfig
|
| eth0 Link encap:Ethernet HWaddr 00:E0:81:44:89:82
| inet addr:10.193.28.1 Bcast:10.193.28.127 Mask:255.255.255.128
| UP BROADCAST MULTICAST MTU:1500 Metric:1
| RX packets:0 errors:0 dropped:0 overruns:0 frame:0
| TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:1000
| RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
| Interrupt:169
|
| eth1 Link encap:Ethernet HWaddr 00:E0:81:44:89:83
| inet addr:192.168.73.1 Bcast:192.168.73.255 Mask:255.255.255.0
| UP BROADCAST MULTICAST MTU:1500 Metric:1
| RX packets:0 errors:0 dropped:0 overruns:0 frame:0
| TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:1000
| RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
| Interrupt:169
|
| eth2 Link encap:Ethernet HWaddr 00:0E:0C:AA:AC:32
| inet addr:10.49.26.82 Bcast:10.49.27.255 Mask:255.255.252.0
| UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
| RX packets:82197 errors:0 dropped:0 overruns:0 frame:0
| TX packets:8840 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:1000
| RX bytes:6646116 (6.3 Mb) TX bytes:10600143 (10.1 Mb)
|
| lo Link encap:Local Loopback
| inet addr:127.0.0.1 Mask:255.0.0.0
| UP LOOPBACK RUNNING MTU:16436 Metric:1
| RX packets:15972 errors:0 dropped:0 overruns:0 frame:0
| TX packets:15972 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:0
| RX bytes:8837810 (8.4 Mb) TX bytes:8837810 (8.4 Mb)
|
| vmnet1 Link encap:Ethernet HWaddr 00:50:56:C0:00:01
| inet addr:192.168.74.1 Bcast:192.168.74.255 Mask:255.255.255.0
| UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
| RX packets:0 errors:0 dropped:0 overruns:0 frame:0
| TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
| collisions:0 txqueuelen:1000
| RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
|
| # iptables -L -t nat
|
| Chain PREROUTING (policy ACCEPT)
| target prot opt source destination
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:mrt
| to:192.168.74.100:3389
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50001
| to:192.168.74.101:3389
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50002
| to:192.168.74.102:3389
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50003
| to:192.168.74.103:3389
| DNAT tcp -- anywhere baust-vmsrv01.uta.de.abb.com tcp dpt:50004
| to:192.168.74.104:3389
|
| Chain POSTROUTING (policy ACCEPT)
| target prot opt source destination
| MASQUERADE all -- anywhere anywhere
|
| Chain OUTPUT (policy ACCEPT)
| target prot opt source destination
|
| Some settings of my firewall:
|
| * FW_DEV_EXT="eth2"
| * FW_DEV_INT="vmnet1"
| * FW_ROUTE="yes"
| * FW_MASQUERADE="yes"
| * FW_MASQ_DEV="$FW_DEV_EXT"
| * FW_MASQ_NETS="0/0"
| * FW_PROTECT_FROM_INT="no"
| * FW_SERVICES_REJECT_EXT="0/0,tcp,113"
| * FW_SERVICES_EXT_TCP="8080 8222 8333 904 5801 5901 http https ssh"
| * FW_FORWARD_MASQ="0/0,192.168.74.100,tcp,50000,3389,10.49.26.181
| 0/0,192.168.74.101,tcp,50001,3389,10.49.26.181
| 0/0,192.168.74.102,tcp,50002,3389,10.49.26.181
| 0/0,192.168.74.103,tcp,50003,3389,10.49.26.181
| 0/0,192.168.74.104,tcp,50004,3389,10.49.26.181"
|
| My problem:
|
| Can 't connect to the vXP's via RDP over NAT because of this error message
| from SuseFirewall:
|
| Jul 2 11:08:24 baust-vmsrv01 kernel: SFW2-IN-ILL-TARGET IN=vmnet1 OUT=
| MAC=ff:ff:ff:ff:ff:ff:00:0c:29:1f:32:b3:08:00 SRC=192.168.74.100
| DST=192.168.74.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=130 PROTO=UDP
| SPT=138 DPT=138 LEN=209
BTW: The "SFW2-IN-ILL-TARGET" is a broadcast to the network (.255) from your server on DEV_INT.
|
| Any ideas out there to fix this?!
Don't underestimate the power of google! searchwords "remote desktop iptables" gives me 3rd result:

http://www.linuxforums.org/forum/linux-networking/51774-remote-desktop-ip-tables-problem.html

This will hopefully be a solution for you.

Following command with maybe additional grep's will help finding the other problems:

less /var/log/SuSEfirewall2.log | grep DROP

If you wanna have a log or something else use COMMAND > outputfile to write it to a file.

Best regards

Philippe

- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBSGutskNg1DRVIGjBAQLfqQb/cRCeDX3bXUDmhC4+H93VyLS9eFScevhA
4sZUxWJAGRp6UDfhgOTdLb7otJy4QJZOfbvTeYow8iIbAquFHL+dIIo+dJ7e1pqk
5viPQHMl3R3/fDzAvbZidn3U/umS3u5e7yo2GWkPVObEVXV2nj2/eGdi+jEwbyhn
7vuI7R+Bsl/N09nWUcSXKb7a4OJbdR6F+BXd7UILbEjzdNs3BnqOd+u1rE3HI2Gl
6WsTAAJw/QMO80D1vqOEBJCqglagQBXw2wyz3xNMo+yVtr9YarjfCNpvRw0GgXPe
1FR14CnFtWU=
=umVN
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups
References