Re: Firewall and beacon
OK I did what you said but no success :-(
can you show me what rules pfilter generated on your machine (iptables -L )?
Here I have now a beacon server on petra.int-evry.fr and a beacon client
on corbeau.int-evry.fr
on petra I see my own paquets on the Xcast group 233.157.159.21 port
10002 but no paquets from corbeau.int-evry.fr client :-(
[root@petra ~]
$ tcpdump port 10002
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
15:44:59.619361 IP petra.int-evry.fr.10002 > 233.157.159.21.10002: UDP,
length 26
15:45:00.701091 IP petra.int-evry.fr.10002 > 233.157.159.21.10002: UDP,
length 26
15:45:01.783887 IP petra.int-evry.fr.10002 > 233.157.159.21.10002: UDP,
length 26
...
However on client corbeau.int-evry.fr I DO send to the Xcast group, I
can also see the beacon server (petra)!
$ tcpdump port 10002 tcpdump: verbose output suppressed, use -v or -vv
for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:49:04.409657 IP corbeau.int-evry.fr.10002 > 233.157.159.21.10002:
UDP, length 26
15:49:04.465230 IP petra.int-evry.fr.10002 > 233.157.159.21.10002: UDP,
length 26
15:49:04.491466 IP corbeau.int-evry.fr.10002 > 233.157.159.21.10002:
UDP, length 26
15:49:04.573399 IP corbeau.int-evry.fr.10002 > 233.157.159.21.10002:
UDP, length 26
15:49:04.655390 IP corbeau.int-evry.fr.10002 > 233.157.159.21.10002:
UDP, length 26
What happens ? why petra doesn't see corbeau paquets ? although I did
open 10002 10003 and 10004 by pfilter as you mentioned
Here is my iptables on petra beacon server :
[root@petra ~]
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
pfilter all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
pfilter all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain pfilter (2 references)
target prot opt source destination
REJECT all -- anywhere 127.0.0.0/8 reject-with
icmp-port-unreachable
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere petra.int-evry.fr state NEW
tcp dpt:ssh
ACCEPT tcp -- anywhere petra.int-evry.fr state NEW
tcp dpt:http
ACCEPT udp -- anywhere petra.int-evry.fr state NEW
udp dpt:http
ACCEPT icmp -- anywhere petra.int-evry.fr state NEW
icmp echo-reply
ACCEPT icmp -- anywhere petra.int-evry.fr state NEW
icmp echo-request
ACCEPT icmp -- anywhere 157.159.21.255 state NEW
icmp echo-reply
ACCEPT icmp -- anywhere 157.159.21.255 state NEW
icmp echo-request
ACCEPT udp -- anywhere petra.int-evry.fr state NEW
udp dpt:10002
ACCEPT udp -- anywhere petra.int-evry.fr state NEW
udp dpt:10003
ACCEPT tcp -- anywhere petra.int-evry.fr state NEW
tcp dpt:10004
DROP all -- anywhere ALL-SYSTEMS.MCAST.NET
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
Thanks.
Mitch Kutzko wrote:
>Hi, Jehan -- I use pfilter to handle this for all the boxes I have the run
>iptables.
>
> http://sourceforge.net/projects/pfilter/
>
>pfilter is a perl-based front end to iptables that handles generating the
>appropriate rulesets for you for iptables. You just install the RPM,
>specify the behavior you want in (by default) /etc/pfilter.conf, and
>restart the pfilter service via "service pfilter restart", and you're all set.
>
>The relevant lines from my /etc/pfilter.conf file are:
>
> OPEN udp 10002 # v1.1 DAST Beacon traffic (RTP)
> OPEN udp 10003 # v1.1 DAST Beacon traffic (RTCP)
> OPEN tcp 10004 # v1.1 DAST Beacon traffic (TCP)
>
>Hope this helps!
>
>Mitch
>
>PS - Nice writeup, BTW...
>
>At 06:57 PM 9/23/2004 +0200, you wrote:
>
>
>>hello
>>I used to play with beacon 0.8.X and I really appreciate that you invest
>>in the developement of this beautiful tool !
>>So I upgraded to 1.1, howerver I cannot figure out how to set my
>>localhost firewall to permit either my own central server and client
>>beacon clients to pass through correctly ( I mean fine tune the
>>firewall) :-(
>>
>>I work on a fedora core 2 system (Thanks for the RPMS !) -> so firewall
>>is netfilter/iptables.
>>I may also contribute myself to the project by writing a doc on the
>>fedora installation of a beacon client and server . It's available here:
>>http://www.int-evry.fr/mci/user/procacci/Doc/Beacon/beacon.html
>>
>>In this doc I mention the FAQ/info provided by nlanr about firewall
>>configuration in my section 1.5
>>http://www.int-evry.fr/mci/user/procacci/Doc/Beacon/beacon.html#htoc9
>>
>>Although theses settings works by restarting iptables while beacon
>>client&server are already running, the firewall needs to be stoped at
>>beacon client&server startup for the matrix to appear. (get initialized)
>>clearly I need to stop the iptables firewall on both client&server ,
>>then start them after matrix initialization, and it works. But if I
>>start the firewall first, the matrix (central loss for exemple) keeps
>>beeing empty :-(
>>
>>I suppose I miss to allow in my iptable firewall the initial join in the
>>multicast group maybe ? or something else ?
>>
>>as anyone configured correctly iptables to allow beacon client&server to
>>communicate ?
>>
>>Thanks a lot.
>>
>>PS: I'll correct my doc if I finally find out how to do it
>>PS again: I played with more sofisticated iptables rules like the one
>>below , but no way :-( , should I continue with these kind of multicast
>>rules ?
>>
>>-A RH-Firewall-1-INPUT -m pkttype --pkt-type multicast -d 233.157.159.11
>>-j ACCEPT
>>
>>
>>
>>
>>
>--
>Mitch Kutzko | mitch@dast.nlanr.net | mitch@ncsa.uiuc.edu | 217-333-1199
>http://hobbes.ncsa.uiuc.edu/
>
>