Community


All times are UTC - 5 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: linux/debian iptables configuration on client computer
PostPosted: Thu Jun 26, 2014 9:24 am 
Offline

Joined: Mon Jun 16, 2014 3:38 am
Posts: 8
Hi,

i searched the board but couldn't find a answer to my "problem".

Can somebody tell me how to configure the iptables firewall on a debian client PC running NRClient Pro?

From the local network (eth0; not the VPN) we only need to connect to mysql, ssh and webmin.
So on INPUT i accept TCP on Port 22,3306 and TCP/UDP 10000.

On the nrtap interface i accept every traffic (no need for iptables, firewall is managed by Neorouter itself)

Which Ports does NRClient need to start?
I tried to open 32975 TCP, 5353 UDP without success

If i config iptables INPUT to DROP as default,
the nrservice won't even build up the nrtap interface.
it doesn't show the nrtap with ifconfig -a

Which ports do nrservice use for build up the nrtap interface,
or how do i have to config the iptables?

Thanks
Marcus


Top
 Profile  
 
 Post subject: Re: linux/debian iptables configuration on client computer
PostPosted: Thu Jul 03, 2014 3:56 pm 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi itskaefer,

Assume you have a physical network adapter to your network/internet, NR client/service will connect NR server via this network adapter. NR client service just requires an outgoing connection to the NR server at listening port (default is 32976/tcp) . No incoming port needs to open. 32975/tcp is the listen port of NR service for NR client (CMD or UI) to connect from local. So basically no need to add rule for NR client on the physical network adapter.

However, once NR client/service connects to the server, it will activate nrtap virtual adapter. Please allow all IN/OUT connections on this adapter.

It's safe, because all packets going through this adapter are from the NeoRouter VLAN and you may want to setup the NeoRouter built-in ACL/Firewall rules to control them instead of setup them on each machine.

Note:
1. On linux, since you put restrict rules with iptables, NR client won't establish P2P connection and it will use NR server to relay automatically.

2. In the next version, we will allow users to specify the P2P port range.


Let us know if you have any question.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
 Post subject: Re: linux/debian iptables configuration on client computer
PostPosted: Fri Jul 04, 2014 5:27 am 
Offline

Joined: Mon Jun 16, 2014 3:38 am
Posts: 8
Hi!

I tried many configurations, without success.
If i config the INPUT Chain to drop by default,
the nrtap adapter doesnt show up under ifconfig -a
and there is no way to connect to the NRServer.

I attached a screenshot of the IPTABLES config.

If i add the rules ACCEPT protocol TCP and UDP (without any other restrictions), the nrtap comes up. But this makes no sense, cause it is like disabling the firewall.

Hope u can reproduce this.

Thanks
Marcus


Attachments:
File comment: Iptables Config
iptables_1.png
iptables_1.png [ 66.59 KiB | Viewed 15774 times ]
Top
 Profile  
 
 Post subject: Re: linux/debian iptables configuration on client computer
PostPosted: Fri Jul 04, 2014 12:51 pm 
Offline

Joined: Sun Nov 16, 2008 6:41 am
Posts: 1878
Hi itskaefer,

The webmin tool may hide some info, please try the following script on your Linux:

Save it to a file setup_firewall.sh, chown 755 setup_firewall.sh, then run it as root.

Code:
#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself
out of the system
#
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
# add other ports you need
# iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
# iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Save settings
#
/sbin/service iptables save
#
# List rules
#
iptables -L -v


So you can see there is no need to do anything special to NR client. Please read it and let me know if you still ahve problem.

Thanks,
KevinZ - NeoRouter team


Top
 Profile  
 
 Post subject: Re: linux/debian iptables configuration on client computer
PostPosted: Mon Jul 07, 2014 5:21 am 
Offline

Joined: Mon Jun 16, 2014 3:38 am
Posts: 8
Hey kevin,

connection state established and related does the trick.
Works now.

thanks a lot.

greetz
marcus


Top
 Profile  
 
 Post subject: Re: linux/debian iptables configuration on client computer
PostPosted: Mon Apr 27, 2015 2:41 am 
Offline

Joined: Mon Apr 27, 2015 2:10 am
Posts: 2
From the local network (eth0; not the VPN) we only need to connect to mysql, ssh and webmin.

_________________
chess download


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 19 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: