Anyone - M$ Term Server behind iptables?

Greetings Gurus,

I am trying to help a friend of mine get his company's M$ Term Server
safely behind an iptables firewall. It needs to be able to be
accessed by the company Road Warriors but it was cracked recently and
now The Pointy Haired Bosses want it behind a firewall. He asked for
my help because he knows "you do Linux stuff". Which is true, but I
am an iptables novice. Especially when attempting to set up port
forwarding to a service behind the firewall. Why am I asking here
rather than he? Because his company Internet policy does not allow
posting to or reading USENET on the job. :-)

The NAT *is* working on the firewall because his LAN can get through
it to browse the WWW. Once we made sure NAT was working he also set
up Squid, with a little help from me, and that is working as well.

Now we are both trying to figure out how to get access to the M$ Term
Server set up and apparently can't figure it out. Here are the rules
in the firewall script as of now:

# Window$ Terminal $erver port forwarding
echo " - FWD: Forwarding Microsoft Term Server requests"
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT --to 192.168.0.10:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF --dport 3389 -d 192.168.0.10 -j ACCEPT

However, when his boss tried to access it from her home and her
remote office (at another of their locations) using the IP address of
the firewall it timed out. There are no messages in /var/log/messages
that have her home IP (a fixed IP address) or her remote office IP in
them which suggests to me that at least the packets are not being
DROPped and LOGged. So, we are missing something.

Is anyone in either of the groups to which this is posted
successfully accessing a M$ Term Server through an iptables firewall?
If so, PLEASE share the rules needed to do this.

TIA!
Gene (e-mail: gene \a\t eracc \d\o\t com)
--
Linux era4.eracc.UUCP 2.4.21-0.25mdk i686
11:46:43 up 3 days, 17 min, 8 users, load average: 0.00, 0.05, 0.02
ERA Computer Consulting - http://www.eracc.com/
eCS, OS/2, Mandrake GNU/Linux, OpenServer & UnixWare resellers

On Tue, 04 Nov 2003 12:11:19 -0600, ERACC wrote:

> Greetings Gurus,
>
> I am trying to help a friend of mine get his company's M$ Term Server
> safely behind an iptables firewall. [...]

> Now we are both trying to figure out how to get access to the M$ Term
> Server set up and apparently can't figure it out. Here are the rules in
> the firewall script as of now:
>
> # Window$ Terminal $erver port forwarding echo " - FWD: Forwarding
> Microsoft Term Server requests" $IPTABLES -t nat -A PREROUTING -i $EXTIF
> -p tcp --dport 3389 -j DNAT --to 192.168.0.10:3389 $IPTABLES -A FORWARD -p
> tcp -i $EXTIF --dport 3389 -d 192.168.0.10 -j ACCEPT

ICK! That looks terrible. Pan is apparently rewrapping my outgoing
text w/o my ok. :-(

This should look better:

# Window$ Terminal $erver port forwarding

echo " - FWD: Forwarding Microsoft Term Server requests"

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT --to 192.168.0.10:3389

$IPTABLES -A FORWARD -p tcp -i $EXTIF --dport 3389 -d 192.168.0.10 -j ACCEPT

[...]

Gene (e-mail: gene \a\t eracc \d\o\t com)
--
Linux era4.eracc.UUCP 2.4.21-0.25mdk i686
12:28:18 up 3 days, 58 min, 8 users, load average: 0.04, 0.06, 0.04
ERA Computer Consulting - http://www.eracc.com/
eCS, OS/2, Mandrake GNU/Linux, OpenServer & UnixWare resellers

In comp.os.linux.networking ERACC <(E-Mail Removed)> wrote:
> am an iptables novice. Especially when attempting to set up port
> forwarding to a service behind the firewall. Why am I asking here

I find it easiest to do that with a specialist or generic proxy like
rinetd. Depends.

> rather than he? Because his company Internet policy does not allow
> posting to or reading USENET on the job. :-)

> Now we are both trying to figure out how to get access to the M$ Term
> Server set up and apparently can't figure it out. Here are the rules

yecch.

> in the firewall script as of now:

> # Window$ Terminal $erver port forwarding
> echo " - FWD: Forwarding Microsoft Term Server requests"
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT --to 192.168.0.10:3389
> $IPTABLES -A FORWARD -p tcp -i $EXTIF --dport 3389 -d 192.168.0.10 -j ACCEPT

> However, when his boss tried to access it from her home and her
> remote office (at another of their locations) using the IP address of
> the firewall it timed out. There are no messages in /var/log/messages
> that have her home IP (a fixed IP address) or her remote office IP in
> them which suggests to me that at least the packets are not being
> DROPped and LOGged. So, we are missing something.

Probably the control connection is followed by a data connection and
ack on a port chosen in the initial handshake. Only looking will tell
you. Ask someone who knows. I don't even know what a windows Term
Server *is*!

Peter

ERACC <(E-Mail Removed)> wrote in
news(E-Mail Removed) P:

> On Tue, 04 Nov 2003 12:11:19 -0600, ERACC wrote:
>
>> Greetings Gurus,
>>
>> I am trying to help a friend of mine get his company's M$ Term Server
>> safely behind an iptables firewall. [...]
>
>> Now we are both trying to figure out how to get access to the M$ Term
>> Server set up and apparently can't figure it out. Here are the rules
>> in the firewall script as of now:
>>
>> # Window$ Terminal $erver port forwarding echo " - FWD:
>> Forwarding Microsoft Term Server requests" $IPTABLES -t nat -A
>> PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT --to
>> 192.168.0.10:3389 $IPTABLES -A FORWARD -p tcp -i $EXTIF --dport 3389
>> -d 192.168.0.10 -j ACCEPT
>
> ICK! That looks terrible. Pan is apparently rewrapping my outgoing
> text w/o my ok. :-(
>
> This should look better:
>
> # Window$ Terminal $erver port forwarding
>
> echo " - FWD: Forwarding Microsoft Term Server requests"
>
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT
> --to 192.168.0.10:3389
>
> $IPTABLES -A FORWARD -p tcp -i $EXTIF --dport 3389 -d 192.168.0.10 -j
> ACCEPT
>
> [...]
>
> Gene (e-mail: gene \a\t eracc \d\o\t com)

I don't see a rule which permits the responses from your TS in the
FORWARD chain. eg

$IPTABLES -A FORWARD -p tcp -i $INTIF --sport 3389 -s 192.168.0.10 -m
state --state ESTABLISHED -j ACCEPT

On Tue, 04 Nov 2003 20:03:47 +0100, P.T. Breuer wrote:

> In comp.os.linux.networking ERACC <(E-Mail Removed)> wrote:

>> am an iptables novice. Especially when attempting to set up port
>> forwarding to a service behind the firewall. Why am I asking here
>
> I find it easiest to do that with a specialist or generic proxy like
> rinetd. Depends.

Hmmm, I'm lookin' at the rinetd home page right now. That may be
worth a shot. However, some dude posted in early 2001 that he was
using ipchains to access M$ Term Server behind his firewall. If it
can be done with ipchains I believe it could translate to iptables.
Unfortunately he posted no rules on how this was accomplished. :-/

Here's the relevant URL (points to Google):

http://makeashorterlink.com/?I51423076

>> Now we are both trying to figure out how to get access to the M$ Term
>> Server set up and apparently can't figure it out. Here are the rules
>
> yecch.

Yeah. :-)

>> However, when his boss tried to access it from her home and her remote
>> office (at another of their locations) using the IP address of the
>> firewall it timed out. There are no messages in /var/log/messages that
>> have her home IP (a fixed IP address) or her remote office IP in them
>> which suggests to me that at least the packets are not being DROPped and
>> LOGged. So, we are missing something.
>
> Probably the control connection is followed by a data connection and ack
> on a port chosen in the initial handshake. Only looking will tell you. Ask
> someone who knows. I don't even know what a windows Term Server *is*!

I reckon we'll have to run ethereal to see what is happening there. I
didn't think of that until just now. :-/

Thanks for the reply Peter.

Gene (e-mail: gene \a\t eracc \d\o\t com)
--
Linux era4.eracc.UUCP 2.4.21-0.25mdk i686
13:46:12 up 3 days, 2:16, 8 users, load average: 0.03, 0.05, 0.00
ERA Computer Consulting - http://www.eracc.com/
eCS, OS/2, Mandrake GNU/Linux, OpenServer & UnixWare resellers

On Tue, 04 Nov 2003 20:58:30 +0000, tutaepaki wrote:

> ERACC <(E-Mail Removed)> wrote in
> news(E-Mail Removed) P:
>
>> On Tue, 04 Nov 2003 12:11:19 -0600, ERACC wrote:
>>
>>> Greetings Gurus,
>>>
>>> I am trying to help a friend of mine get his company's M$ Term Server
>>> safely behind an iptables firewall. [...]
[...]
>> This should look better:
>>
>> # Window$ Terminal $erver port forwarding
>>
>> echo " - FWD: Forwarding Microsoft Term Server requests"
>>
>> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT
>> --to 192.168.0.10:3389
>>
>> $IPTABLES -A FORWARD -p tcp -i $EXTIF --dport 3389 -d 192.168.0.10 -j
>> ACCEPT
>>
>> [...]
>
> I don't see a rule which permits the responses from your TS in the FORWARD
> chain. eg
>
> $IPTABLES -A FORWARD -p tcp -i $INTIF --sport 3389 -s 192.168.0.10 -m
> state --state ESTABLISHED -j ACCEPT

Ah! I didn't know that was necessary. Seems to make sense though. Is
that something that is needed for ALL forwarding? In examples I see
where port 80 is forwarded such a rule does not appear.

Regardless, we will try that and I'll post results here.

Thanks!

Gene (e-mail: gene \a\t eracc \d\o\t com)
--
Linux era4.eracc.UUCP 2.4.21-0.25mdk i686
16:20:47 up 3 days, 4:51, 8 users, load average: 0.14, 0.17, 0.18
ERA Computer Consulting - http://www.eracc.com/
eCS, OS/2, Mandrake GNU/Linux, OpenServer & UnixWare resellers

P.T. Breuer wrote:
> In comp.os.linux.networking ERACC <(E-Mail Removed)> wrote:
>
>>am an iptables novice. Especially when attempting to set up port
>>forwarding to a service behind the firewall. Why am I asking here
>
>
> I find it easiest to do that with a specialist or generic proxy like
> rinetd. Depends.
>
>
>>rather than he? Because his company Internet policy does not allow
>>posting to or reading USENET on the job. :-)
>

Doh! Another triumph of dogma over common sense.
>
>>Now we are both trying to figure out how to get access to the M$ Term
>>Server set up and apparently can't figure it out. Here are the rules
>
>
<snip>

> Ask someone who knows. I don't even know what a windows Term
> Server *is*!
>
> Peter

It's a remote control application, rather like PC-anywhere, VNC or X.
I don't know the details. MS could never just use something that already
exists and works of course.
I _do_ know that it all works on a single TCP session because I have
proxied/relayed it for other people in the past.
So the missing return path rule (in another reply) sounds like a good
bet to me.

Steve

> # Window$ Terminal $erver port forwarding echo " - FWD: Forwarding
> Microsoft Term Server requests" $IPTABLES -t nat -A PREROUTING -i $EXTIF
> -p tcp --dport 3389 -j DNAT --to 192.168.0.10:3389 $IPTABLES -A FORWARD
> -p tcp -i $EXTIF --dport 3389 -d 192.168.0.10 -j ACCEPT
>
>



Change all this to:


# NT Terminal Server

$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT --to
192.168.0.10:3389


$IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport 3389 -j DNAT --to
192.168.0.10:3389



#Unblock the RDP ports
$IPT -t filter -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT

$IPT -t filter -A INPUT -i $EXTIF -p udp --dport 3389 -j ACCEPT


$IPT -t filter -A FORWARD -i $EXTIF -p tcp --dport 3389 -j ACCEPT

$IPT -t filter -A FORWARD -i $EXTIF -p udp --dport 3389 -j ACCEPT

On Tue, 04 Nov 2003 20:58:30 +0000, tutaepaki wrote:

> ERACC <(E-Mail Removed)> wrote in
> news(E-Mail Removed) P:
[...]
>> This should look better:
>>
>> # Window$ Terminal $erver port forwarding
>>
>> echo " - FWD: Forwarding Microsoft Term Server requests"
>>
>> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT
>> --to 192.168.0.10:3389
>>
>> $IPTABLES -A FORWARD -p tcp -i $EXTIF --dport 3389 -d 192.168.0.10 -j
>> ACCEPT
>>
>> [...]
>
> I don't see a rule which permits the responses from your TS in the FORWARD
> chain. eg
>
> $IPTABLES -A FORWARD -p tcp -i $INTIF --sport 3389 -s 192.168.0.10 -m
> state --state ESTABLISHED -j ACCEPT

Hmmm, didn't fix it. I'm trying the other suggestion from today.

Gene (e-mail: gene \a\t eracc \d\o\t com)
--
Linux era4.eracc.UUCP 2.4.21-0.25mdk i686
11:13:56 up 3 days, 23:44, 8 users, load average: 0.25, 0.24, 0.18
ERA Computer Consulting - http://www.eracc.com/
eCS, OS/2, Mandrake GNU/Linux, OpenServer & UnixWare resellers

On Wed, 05 Nov 2003 00:22:00 -0500, joseph philip wrote:

>> # Window$ Terminal $erver port forwarding echo " - FWD: Forwarding
>> Microsoft Term Server requests" $IPTABLES -t nat -A PREROUTING -i $EXTIF
>> -p tcp --dport 3389 -j DNAT --to 192.168.0.10:3389 $IPTABLES -A FORWARD
>> -p tcp -i $EXTIF --dport 3389 -d 192.168.0.10 -j ACCEPT
>
> Change all this to:
>
> # NT Terminal Server
>
> $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT --to
> 192.168.0.10:3389
>
> $IPT -t nat -A PREROUTING -i $EXTIF -p udp --dport 3389 -j DNAT --to
> 192.168.0.10:3389
>
> #Unblock the RDP ports
> $IPT -t filter -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT
>
> $IPT -t filter -A INPUT -i $EXTIF -p udp --dport 3389 -j ACCEPT
>
> $IPT -t filter -A FORWARD -i $EXTIF -p tcp --dport 3389 -j ACCEPT
>
> $IPT -t filter -A FORWARD -i $EXTIF -p udp --dport 3389 -j ACCEPT

Nope, that didn't work either. This is very odd. So far no suggestion
we've gotten has been able to pass this Term Server stuff. We can see
it coming into the LAN using ethereal and see the TS respond. But the
response never gets back through.

Hmmmm, maybe a combination of these suggestions will work ... I'm
going to look into that possibility. Whatever I find out I'll post
back here.

Gene (e-mail: gene \a\t eracc \d\o\t com)
--
Linux era4.eracc.UUCP 2.4.21-0.25mdk i686
11:25:25 up 3 days, 23:56, 8 users, load average: 0.17, 0.20, 0.18
ERA Computer Consulting - http://www.eracc.com/
eCS, OS/2, Mandrake GNU/Linux, OpenServer & UnixWare resellers