From: Brian P. <bri...@un...> - 2004-02-10 14:44:40
|
Many thanks to all who offered advice on my IPTables issues. After a few head pounding hours, I came up with a solution. I thought I'd post it back here in case it helps anyone else. My set-up is is a LTSP server with one NIC and various clients, all on a public network. The LTSP server is also the DHCP and TFTP server for these clients. The clients PXE boot to get up and running. This turned out to be the sticking point since I saw different ports each time during the PXE boot process. A few tcpdump captures really helped me sort out what the heck was going on. I ended up allowing all traffic from my known IP addresses and blocking all other addresses. I then had to enable the protocols I wanted the clients to be able to connect to - in this case just HTTP/HTTPS and DNS since they are running a locked down Mozilla Firebird browser (hurray for open source, easy to change code!). Here's the shell script I used to kick things off, I then saved the config with iptables-save > /etc/sysconfig/iptables #!/bin/sh # Rule generating script for LTSP server # Set up variables IPTABLES='_dhcp_range_for_clients' DHCP_CLIENTS='x.x.x.x/X' MONITOR='my_workstation_IP' SERVER_IP='server_IP_address' # flush chains $IPTABLES -F # delete user defined chains $IPTABLES -X # set default policies (deny everything) $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP # Enable things on a port or host basis $IPTABLES -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT $IPTABLES -A INPUT -i eth0 -d $DHCP_CLIENTS -p tcp --sport 80 -j ACCEPT $IPTABLES -A INPUT -i eth0 -d $DHCP_CLIENTS -p tcp --sport 443 -j ACCEPT $IPTABLES -A INPUT -i eth0 -d $DHCP_CLIENTS -p udp --sport 53 -j ACCEPT $IPTABLES -A INPUT -i eth0 -d $DHCP_CLIENTS -p tcp --sport 53 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $SERVER_IP -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $MONITOR -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -i eth0 -s $MONITOR -p udp --dport 22 -j ACCEPT $IPTABLES -A OUTPUT -i eth0 -d $DHCP_CLIENTS -j ACCEPT $IPTABLES -A OUTPUT -i eth0 -s $DHCP_CLIENTS -j ACCEPT Many thanks to all the LTSP developers for a totally fantastic tool! -- Brian Payst, MS Director of Technology & Systems Support Division of Student Affairs The University of North Carolina at Chapel Hill voice: (919) 962-1469 fax: (919) 962-5241 |