Showing posts with label iptables. Show all posts
Showing posts with label iptables. Show all posts

17 February 2012

69. Reverse VNC using vncviewer and tightvnc

Reverse VNC is a good way of helping people remotely. It requires that your IP is remotely accessible, but it does NOT require that the client's IP is public.

This is based on http://ubuntuforums.org/showthread.php?t=299489 and https://caedesnotes.wordpress.com/2010/01/08/remote-administrationtech-support-with-reverse-vnc/ but with screenshots. If both of you are using linux but you for some reason prefer vnc over ssh, have a look at that link for how to do (i.e. using x11vnc on the client)

Like a lot of people I have parents. Like most of those people, my parents aren't too interested in augmenting their computer skills. Which is fine. But trying to explain over the phone where to click etc. gets old really fast -- VNC is an advantage here if they are running windows. Parents also tend to appreciate lots of screenshots -- so I've provided that. It's running on a French version of XP -- it's my way of indirectly learning and keeping my French alive.

-- START HERE --

The situation:
You're running linux. The client is running Windows. You are you, the person you're helping is The Client.
Set up your system before having the client follow the instructions here. I put the client instructions first so you can send them to this page.



The Client:
They are running Windows. They don't have a public IP. Here's what they should do:

1. Download tightvncviewer from here: http://www.tightvnc.com/download.php

2. Installation of tightvnc

a) Install both client and server or only server. It doesn't matter -- the server is important here.


b) During setup, make sure that you check all the boxes as shown below


You will not need to share your password with the person helping you. Make sure not to leave these blank.


c) Tightvnc requires the administrator password to be able to accept connections.

Right-click on the icon in the taskbar tray, and click on Configuration...

Change main server port to 5500. We're doing this to be consistent.
You may de-select 'Serve Java Viewer to Web clients)




The steps above you will only need to do once.

The following steps you will need to do each time you want to get help:
1. Right-click on the vnc icon in the taskbar tray. Select Attach Listening Viewer...

2. In Hostname or IP address of the viewer, type the IP address given to you by the person helping you. In this example it's 192.168.1.102, but it can be anything. Append ::5500 to the IP address. In our example, the input is 192.168.1.102::5500


That's it. If something not described here is happening, make sure to tell the person helping you. Especially if messages about Blocked programmes or Firewalls come up.

You (linux person):
Your public IP is 192.168.1.102 in the example above. Your port 5500 is open to the world.

sudo apt-get install vncviewer

Start your listening session by

vncviewer -compresslevel 9 -listen 0
vncviewer -listen: Listening on port 5500
vncviewer -listen: Command line errors are not reported until a connection comes in.


Once the connection is started by the client you get:
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "tantalum"
VNC server default format:
  16 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 31 green 63 blue 31, shift red 11 green 5 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
You can play around with the compresslevels which runs from 0 to 9. Make sure to keep an eye on your firewall log -- your client/parent may easily get frustrated if things aren't working -- and you really don't want to be the cause of it.


Notes:
iptables
I tested this by running windows xp in virtualbox on one linux box, 192.168.1.1, and piped the vnc connection through to another linux box at 192.168.1.102. The firewall settings I had to do were:

On 192.168.1.1

Open port 17500 to tcp traffic from 192.168.1.102 to 255.255.255.255:
sudo iptables -A INPUT -i eth1 -s 192.168.1.102 -d 255.255.255.255 -p tcp --dport 17500 -j ACCEPT


On 192.168.1.102
Open port 5500 to tcp traffic destined for 192.168.1.102:
sudo iptables -A INPUT -d 192.168.1.102 -p tcp --dport 5500 -j ACCEPT

09 February 2012

63. Iptables for LAN with one internet connected gateway; sharing internet connection using iptables

Here I show how to share an internet connection with clients on a LAN. It's based in part on the iptables which firestarter generates when setting up connection sharing -- I think one could probably get away with dropping the INBOUND/OUTBOUND sections for the gateway server.

You will probably find that you need to open more ports, depending on your network services. Hopefully it's obvious from the instructions below how to do that. As always, use what you find below as a starting point and expand and correct it as you fool around with it.

While it's easier to use a gui like gufw or firestarter (see previous post), it's easier to get an absolute overview of your firewall configuration if you define each rule using iptables. It's also not that difficult and with a bit of trial and error you can work it out.

The usual caveats apply -- a good 2/3 of my posts are written as I'm teaching myself, while the remainder describe easy, useful, but not always obvious, things and programmes which makes life easier. This lands in the former category.

--- START HERE ---

My network:
One computer has two cards. eth0 is connected to the outside world, eth1 is connected to a switch making up a LAN. Each client is connected to the switch and has static IP (set in /etc/network/interfaces)

The clients are the easiest, so we'll start with them

Client:
create /etc/firewall-rules.sh (e.g. sudo vim /etc/firewall-rules.sh) and put the following in it:

sudo iptables -F #FLUSH

#INPUT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #network access
sudo iptables -A INPUT -i lo -j ACCEPT                        #127.0.0.1
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT -s 192.168.1.0/24 #ssh
sudo iptables -A INPUT -p tcp --dport www -j ACCEPT -s 192.168.1.0/24 #web server
sudo iptables -A INPUT -p tcp --dport nfs -j ACCEPT -s 192.168.1.0/24 #needed for nfs
sudo iptables -A INPUT -p udp --dport nfs -j ACCEPT -s 192.168.1.0/24 #needed for nfs
sudo iptables -A INPUT -p tcp --dport sunrpc -j ACCEPT -s 192.168.1.0/24 #needed for nfs 
sudo iptables -A INPUT -p udp --dport sunrpc -j ACCEPT -s 192.168.1.0/24 #needed for nfs 
sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT -s 192.168.1.0/24 #ping
sudo iptables -A INPUT -p udp --dport 60003 -j ACCEPT -s 192.168.1.0/24 #sinfo/d
sudo iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix " Dropped by firewall "
sudo iptables -A INPUT -j DROP                          #drop all else

#OUTPUT
sudo iptables -A OUTPUT -o lo -j ACCEPT #127.0.0.1
sudo iptables -A OUTPUT -j ACCEPT          #all outgoing ok

#FORWARD
sudo iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT

#Default behaviour
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP 
sudo iptables -P FORWARD DROP
Next, change ownership and permission

sudo chown root firewall-rules.sh
sudo chmod 700 firewall-rules.sh

Finally, edit /etc/network/interfaces and put
post-up sh /etc/firewall-rules.sh
as the last line. If you use post-up routing rules as well you can put those before or after.

Done!


The Gateway:
We need to allow the local network access to the services of the gateway, such as apt-cache. We also need to pass through traffic to the outside world.

Here's the gateway's /etc/firewall-rules.sh:

sudo iptables -F #FLUSH
# T1 -> eth0 --> inet, eth1 --> LAN (192.168.0/24)

#table nat
sudo iptables -t nat -P PREROUTING ACCEPT
sudo iptables -t nat -P INPUT ACCEPT
sudo iptables -t nat -P OUTPUT ACCEPT
sudo iptables -t nat -P POSTROUTING ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#table mangle
sudo iptables -t mangle -P PREROUTING ACCEPT
sudo iptables -t mangle -P INPUT ACCEPT
sudo iptables -t mangle -P FORWARD ACCEPT
sudo iptables -t mangle -P OUTPUT ACCEPT
sudo iptables -t mangle -P POSTROUTING ACCEPT 

#main table
sudo iptables -N OUTBOUND
sudo iptables -N INBOUND

#INPUT
sudo iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #allows network access
sudo iptables -A INPUT -i lo -j ACCEPT                                                #127.0.0.1
sudo iptables -A INPUT -i eth1 -p tcp --dport ssh -j ACCEPT -s 192.168.1.0/24 #ssh
sudo iptables -A INPUT -i eth1 -p tcp --dport www -j ACCEPT -s 192.168.1.0/24 #web server
sudo iptables -A INPUT -i eth1 -p tcp --dport nfs -j ACCEPT -s 192.168.1.0/24 #needed for nfs
sudo iptables -A INPUT -i eth1 -p udp --dport nfs -j ACCEPT -s 192.168.1.0/24 #needed for nfs
sudo iptables -A INPUT -i eth1 -p tcp --dport sunrpc -j ACCEPT -s 192.168.1.0/24  #needed for nfs 
sudo iptables -A INPUT -i eth1 -p udp --dport sunrpc -j ACCEPT -s 192.168.1.0/24 #needed for nfs 
sudo iptables -A INPUT -i eth1 -p icmp --icmp-type 8 -j ACCEPT -s 192.168.1.0/24  #ping
sudo iptables -A INPUT -i eth1 -p udp --dport 60003 -j ACCEPT -s 192.168.1.0/24 #sinfo/d
sudo iptables -A INPUT -i eth1 -p tcp --dport 3142 -j ACCEPT -s 192.168.1.0/24             #apt-cache
sudo iptables -A INPUT -i eth1 -d 192.168.1.1 -j INBOUND                                                   #needed for gw -> clients
sudo iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j REJECT 
sudo iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix " Dropped by firewall "
sudo iptables -A INPUT -j DROP                                                       #drop all else


#OUTPUT
sudo iptables -A OUTPUT -o lo -j ACCEPT #localhost 127.0.0.1
sudo iptables -A OUTPUT -o eth0 -j ACCEPT #eth0: all outgoing ok
sudo iptables -A OUTPUT -o eth1 -j ACCEPT                               #eth1: all outgoing ok

#FORWARD
sudo iptables -A FORWARD -p icmp -j ACCEPT 
sudo iptables -A FORWARD -p tcp -s 192.168.1.0/24 -j ACCEPT     #forward everything from local LAN
sudo iptables -A FORWARD -p udp -s 192.168.1.0/24 -j ACCEPT    #forward everything from local LAN
sudo iptables -A FORWARD -i eth0 -j OUTBOUND                           #need both for pass-through
sudo iptables -A FORWARD -i eth1 -j OUTBOUND                           #need both for pass-through


#INBOUND
sudo iptables -A INBOUND -j ACCEPT -m state --state RELATED,ESTABLISHED                              
sudo iptables -A INBOUND -s beryllium -j ACCEPT
sudo iptables -A INBOUND -j ACCEPT -s 192.168.1.0/24

#OUTBOUND
sudo iptables -A OUTBOUND -j ACCEPT

#Default behaviour
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP 
sudo iptables -P FORWARD DROP

And that's about it.

To check that it loaded do

sudo iptables -L -n -v

The -n is because of this.

Keep on checking what goes into /var/log/firewall.log to see whether you should open more ports or use a more generous (or strict) firewall policy.



Edit: the following was the old way of doing it. The downside is that
1. it gets loaded very late in the boot sequence
2. it doesn't reload on sudo service networking restart

I've migrated away from network-manager, but it might require the method below. Use if the first method doesn't load the firewall rules.

edit /etc/rc.local and put 
sh /etc/firewall-rules.sh
as the second-to-last line to make the rules be added on each boot.

Remember the sudo iptables -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix " Dropped by firewall " line? It doesn't actually do anything yet.

Edit /etc/rsyslog.conf and put
kern.=debug /var/log/firewall.log
anywhere. Restart the service:

sudo service rsyslog restart

There's now a firewall.log in your  /var/log dir.



There is one caveat:

IMPORTANT: for some reason receiving large files via sftp in filezilla FROM a client to the gateway gives

Error: Incorrect MAC received on packet
Error: File transfer failed after transferring 32,768 bytes in 1 second
or
Error: Server sent disconnect message
Error: type 2 (protocol error):
Error: "Packet corrupt"
Error: File transfer failed

Transferring large files TO a client works fine from the gateway and is blazingly fast. Transferring files between clients also works fast and securely.

i.e. on a client I can easily receive files from the gateway. On the gateway I can easily put a file on a client. The opposite directions don't work, whether I do it on the client or on the gateway. It seems like there should be an obvious iptables fix. My network cards are rtl-8169 gigabit pci cards and/or intel e1000 pro

NFS works fine for filetransfer (see this post) but I'm working on figuring out the incorrect MAC problem.

I've already tried with
sudo iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Also, even a firewall consisting of nothing but (apart from flush):

sudo iptables -P INPUT ACCEPTsudo iptables -P OUTPUT ACCEPTsudo iptables -P FORWARD ACCEPT

doesn't solve it

Links to this post:
http://www.debian-srbija.iz.rs/p/kako-da.html