I'm a Linux newbie (several weeks experience, just ditched Windows). Every
day is a new day, new challenges and puzzles to solve and so far it's going
good, I might say. But now I'm stuck and have no idea how to proceed. And I
hope someone of you can and will help me out.

This is the situation: I have installed one computer server and two as
workstations (might become more in the future). On all computers Redhat 9 is
installed (of course two times workstation and one time server).

I even managed to get NFS working... but only when I de-activated Iptables.
But I would like to have a firewall up and running with full powers.

Besides from NFS, I discovered that I need to install my printer to the
server (CUPS protocol) and guess what, it's being blocked by... Iptables...

I have been searching for solutions with Google (what would I do without
it?) but can't seem to find something that's helpful to me. Perhaps because
(almost) everything is in English and I'm Dutch...

So, heeeeeeeeeeeeeeeeeeeeeelp.....

What I did find was how to block NFS and CUPS:
----------------------------------------------------
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block
NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block
NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block
Sun rpc/NFS
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block
Sun rpc/NFS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block
printer port
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block
printer port

----------------------------------------------------

But I don't have any clues to
a) what it means (no help from any source) and
b) how to convert it to "accept"...

To be honest, it's driving me crazy.
Any help or advice would be very appriciated!!

Thanks for your help,
Lady-M

P.S. in order to get as much help as possible, this was posted in 3
newsgroups. If that's not allowed, I do appologise!

On Fri, 26 Sep 2003 18:11:37 +0200,
"Lady-M" <sorry-no-email@newsgroups.com> wrote:

> I even managed to get NFS working... but only when I de-activated Iptables.
> But I would like to have a firewall up and running with full powers.
>
> Besides from NFS, I discovered that I need to install my printer to the
> server (CUPS protocol) and guess what, it's being blocked by... Iptables...
>
> I have been searching for solutions with Google (what would I do without
> it?) but can't seem to find something that's helpful to me. Perhaps because
> (almost) everything is in English and I'm Dutch...
>
> So, heeeeeeeeeeeeeeeeeeeeeelp.....
>
> What I did find was how to block NFS and CUPS:
> ----------------------------------------------------
> iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
> iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP - Block NFS
> iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
> iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP - Block Sun rpc/NFS
> iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
> iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP - Block printer port
>
> ----------------------------------------------------
>
> But I don't have any clues to
> a) what it means (no help from any source)

Try searching through "The Linux Documentation Project."

> b) how to convert it to "accept"...

Change "DROP" to "ACCEPT." But you'll want to tailor your filters to
block internet access, while allowing LAN access. It's probably more
understandable with unabbreviated rules.

e.g. Assuming that eth0 was the internet and eth1 was the LAN
(substitute the correct interfaces, and create the other rules, to suit
your own system).

# iptables --append INPUT --protocol tcp --in-interface eth0 --destination-port 515 --jump DROP
# iptables --append INPUT --protocol tcp --in-interface eth1 --destination-port 515 --jump ALLOW

(Those are two long command lines, written after a hash mark. Don't
type the hash, and make sure that what's one line here, is entered as
one line on your system - when you do the same sort of thing.)

Your original example has -s 0/0 and -d 0/0 meaning "any" source or
destination address. They're redundant. If you want to tighten those
rules, to prevent address spoofing (e.g. denying outside connection
attempts using internal addresses, and vice versa), you could do that
there, or have a more global rule for everything. It's kind of
redundant, if you're already disallowing *all* outside connection to
that service, but you may have more relaxed rules elswhere.

e.g. If your internal network was 192.168.0.xxx then rules like the
following would guard against address spoofing:

# iptables --append INPUT --jump DROP --in-interface eth0 --source 192.168.0.0/16
# iptables --append INPUT --jump DROP --in-interface eth1 \! --source 192.168.0.1/16

(The first rule drops external connections with faked internal source
addresses, the second one drops internal connections that don't have
internal source addresses. Same as before, regarding two long command
lines, and the hash marks.)

> in order to get as much help as possible, this was posted in 3
> newsgroups. If that's not allowed, I do apologise!

Cross posting will get you ignored by the older and wiser users
(especially if you post to a lot of groups and don't set a followup-to
header to point all replies to the one group), who're more likely to
have the answers that you want, and annoy people who don't have access
to the other groups, who have to adjust their replies to remove the
other groups before they can post.

I've killed the cross posts (in my reply), because I can't post to
groups not available to me.

--
My "from" address is totally fake. (Hint: If I wanted e-mails from
complete strangers, I'd have put a real one, there.) Reply to usenet
postings in the same place as you read the message you're replying to.

In article <bl1oce$cmd$1@reader1.tiscali.nl>,
Lady-M <sorry-no-email@newsgroups.com> wrote:
>This is the situation: I have installed one computer server and two as
>workstations (might become more in the future). On all computers Redhat 9 is
>installed (of course two times workstation and one time server).

Are all three exposed to the outside world, or are they already behind
some sort of firewall? (Not that being behind a firewall at a university
is any guarantee of security...) It would help to know a little more
about your general setup - how things are connected to the outside
world, what sort of firewalling is turned on, etc.

>I even managed to get NFS working... but only when I de-activated Iptables.
>But I would like to have a firewall up and running with full powers.

If you need a firewall, you will have to poke a hole in it for NFS.
You can and should do this selectively of course.

>I have been searching for solutions with Google (what would I do without
>it?) but can't seem to find something that's helpful to me.

There have been discussions of similar problems in these newsgroups
recently, but it seems that Google doesn't archive them anymore.

>a) what it means (no help from any source)

It's actually all there in "man iptables", though it may seem like
trying to understand how a submarine works by reading the blueprints...

There is actually some Dutch documentation on www.netfilter.org.
Also assorted tutorials.

Thanks Allan for the info.

Here's more information about the system:
The Lan is made up of three computers: one server (10.0.0.202/255.255.255.0)
and two workstations (10.0.0.203/255.255.255.0 and
10.0.0.204/255.255.255.0). Internet is setup through the LAN: one ADSL modem
is connected to the hub (to which the rest is connected). The gateway ip is
10.0.0.138/255.255.255.0.

The only internal "traffic" would be NFS and CUPS. No internal email has
been setup.

Hope this helps!

Regards,
Lady-M


"Allen McIntosh" <mcintosh@nospam.com> schreef in bericht
news:bl2vt3$gfs$1@mc-pc.research.telcordia.com...
> In article <bl1oce$cmd$1@reader1.tiscali.nl>,
> Lady-M <sorry-no-email@newsgroups.com> wrote:
> >This is the situation: I have installed one computer server and two as
> >workstations (might become more in the future). On all computers Redhat 9
is
> >installed (of course two times workstation and one time server).
>
> Are all three exposed to the outside world, or are they already behind
> some sort of firewall? (Not that being behind a firewall at a university
> is any guarantee of security...) It would help to know a little more
> about your general setup - how things are connected to the outside
> world, what sort of firewalling is turned on, etc.
>
> >I even managed to get NFS working... but only when I de-activated
Iptables.
> >But I would like to have a firewall up and running with full powers.
>
> If you need a firewall, you will have to poke a hole in it for NFS.
> You can and should do this selectively of course.
>
> >I have been searching for solutions with Google (what would I do without
> >it?) but can't seem to find something that's helpful to me.
>
> There have been discussions of similar problems in these newsgroups
> recently, but it seems that Google doesn't archive them anymore.
>
> >a) what it means (no help from any source)
>
> It's actually all there in "man iptables", though it may seem like
> trying to understand how a submarine works by reading the blueprints...
>
> There is actually some Dutch documentation on www.netfilter.org.
> Also assorted tutorials.