Re: [Ltsp-discuss] iptables and LTSP

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Many thanks to all who offered advice on my IPTables issues. After a few 
head pounding hours, I came up with a solution. I thought I'd post it 
back here in case it helps anyone else.

My set-up is is a LTSP server with one NIC and various clients, all on a 
public network. The LTSP server is also the DHCP and TFTP server for 
these clients. The clients PXE boot to get up and running. This turned 
out to be the sticking point since I saw different ports each time 
during the PXE boot process. A few tcpdump captures really helped me 
sort out what the heck was going on.

I ended up allowing all traffic from my known IP addresses and blocking 
all other addresses. I then had to enable the protocols I wanted the 
clients to be able to connect to - in this case just HTTP/HTTPS and DNS 
since they are running a locked down Mozilla Firebird browser (hurray 
for open source, easy to change code!).

Here's the shell script I used to kick things off, I then saved the 
config with iptables-save > /etc/sysconfig/iptables

#!/bin/sh
# Rule generating script for LTSP server

# Set up variables
IPTABLES='_dhcp_range_for_clients'
DHCP_CLIENTS='x.x.x.x/X'
MONITOR='my_workstation_IP'
SERVER_IP='server_IP_address'

# flush chains
$IPTABLES -F

# delete user defined chains
$IPTABLES -X

# set default policies (deny everything)
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Enable things on a port or host basis
$IPTABLES -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -d $DHCP_CLIENTS -p tcp --sport 80 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -d $DHCP_CLIENTS -p tcp --sport 443 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -d $DHCP_CLIENTS -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -d $DHCP_CLIENTS -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s $SERVER_IP -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s $MONITOR -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s $MONITOR -p udp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -i eth0 -d $DHCP_CLIENTS -j ACCEPT
$IPTABLES -A OUTPUT -i eth0 -s $DHCP_CLIENTS -j ACCEPT

Many thanks to all the LTSP developers for a totally fantastic tool!

-- 
Brian Payst, MS
Director of Technology & Systems Support
Division of Student Affairs
The University of North Carolina at Chapel Hill
voice: (919) 962-1469 fax: (919) 962-5241