LinuxMCE Forums
General => Users => Topic started by: stiev3 on January 21, 2008, 01:53:09 am
-
I'm on beta2 right now (going to 3 in short order). But I was curious as to what this option does. The wiki says : You can limit rules to specific ip addresses.
My goal is to forward one port as securely as possible - I'd like to limit access to one specific IP address if possible. I figured that the "Limit to IP" was the way to do that, so I specified it as the target ip. With it set I was still able to see the port as open from IPs that weren't specified. ( www.grc.com ).
Am I misunderstanding that option's purpose or do I have something misconfigured?
-
I have also been experiencing Firewall issues. I asked the forum at this post. http://forum.linuxmce.org/index.php?topic=3890.0 but I have not gotten a response. I had not tried Beta2, so I do not know if my problem exists in Beta2, but I am not able to get any Firewall changes loaded via Admin in Beta3
try iptables -L and see what rules are loaded
Thanks,
Rob
-
So I'm on beta3 32bit now, and it still seems to not "limit to ip" on the ip i specify. I think I'm going to opt to stop forwarding ports for now. For the record, it should be possible to block all traffic on an open port except for an ip I specify correct? I'd rather not leave threat filtering up to my novice ability at administering a private svn server with apache if I have a choice to do it through the firewall menu.
iptables -L output (with ports forwarded):
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT 0 -- 192.168.80.0/24 anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
-
that is exactly what my iptables -L looks like and I have three additional rules. This worked in 704 but does not appear to be working in 710Beta3.
If someone else can confirm this I will file a Mantis report.
Thanks,
Rob
-
to clarify my few posts just in case they needed it.
My problem:
Opening ports with an ip specified in Limit to IP failed on beta2 and beta3. The port would be opened, but it would not be limited to the ip.
My temporary solution:
Keep the port open through the web admin, and limit IP in the ip tables of the pc that receives the forwarding.
-
First of all, please use this:
iptables -xvnL
I find it to be easier to read and with more useful information.
Second, also check the "nat" table, by adding the "-t nat" parameter to the previous command, like this:
iptables -t nat -xvnL
Third, I'm looked over the code and this couldn't have worked :) If I'm looking in the right place, this bug is _ancient_. The line I'm referring to is in /usr/pluto/bin/Network_Firewall.sh, the script responsible for applying the firewall rules, at line 136. Now, that line was last modified at revision 545. What I noticed there was this:
ForwardPort "$Protocol" "$ExtIP" "$SrcPort" "$DestIP" "$DestPort"
and I changed it to this:
ForwardPort "$Protocol" "$ExtIP" "$SrcPort" "$DestIP" "$DestPort" "$SrcIP"
.
Now, my iptables -t nat -xvnL shows that a filter for the source IP is applied, as it should. I also checked the other calls to ForwardPort and OpenPort to make sure this parameter is correct, and this is the only place without it.
Please try out my change and let me know if it fixes your issues. It has already been committed to SVN.
-
Changed the script as instructed, seems to have solved my issue. Using "iptables -t nat -xvnL" without the change, I reading the source as 0.0.0.0/0 when I applied the firewall rule in web admin. After the change, the source correctly shows the ip I specified under "Limit to IP" when I reapplied the rule.
Thanks for the help!
-
A couple of things...
1) Is this going to be/has it been fixed yet?
2) There is still no answer to what "Limit to IP" does - i want to know this too, as I will have to be opening ports for xbox live use.
So, what is the difference between the destination IP address, and the "Limit to:" IP address in the firewall settings?
Also, can you specify a range of IP address to forward ports on? (I.e. open UDP port 88 on all IP address, or from 192.168.80.140-192.168.80.145?)