You are not logged in.

#1 2005-07-31 16:43:21

dekernel
Member
From: Vassar, MI USA
Registered: 2004-03-22
Posts: 117

CUPS Connections + IPTABLES Problems

I seem to be having a problem allowing CUPS connections after enabling iptables. My rules are simple so I am not sure what is incorrect.
My needs are to just allow ssh, http from the outside world as well as internally (192.168.1.). I only want cups connections from my internal connections (192.168.1.). My web connectons and ssh connections appear to be OK, but I can't get the printers to work once I enable the firewall rules.

/etc/hosts.allow

#
# /etc/hosts.allow
#
ALL: ALL: ALLOW
sshd: 192.168.1.
sshd: 127.0.0.1
sshd: xxx.xxx.xxx.xxx (my work IP)
cups: 192.168.1.
# End of file

The script that I use to create the rules:

#!/bin/bash
iptables -F
iptables -X
# By default, allow all outbound requests.
iptables -P OUTPUT  ACCEPT

# By default, deny all inbound requests.
iptables -P INPUT   DROP

# Be default, do not allow forwarding.
iptables -P FORWARD DROP

# Allow all localhost connections.
iptables -A INPUT  -i lo  -j ACCEPT

# Allow inbound ssh connections.
iptables -A INPUT  -p tcp  --destination-port 22  -m state --state NEW  -j ACCEPT

# Allow all inbound http requests.
iptables -A INPUT  -p tcp  --destination-port 80  -m state --state NEW  -j ACCEPT

# Allow all inbound cups requests.
iptables -A INPUT  -p tcp  --destination-port 631  -m state --state NEW  -j ACCEPT
iptables -A INPUT  -p udp  --destination-port 631  -m state --state NEW  -j ACCEPT

# Maps the outbound requests with the inbound requests.
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 

Obviously I am missing something because it is not working, but I don't have a clue as to what I am missing.

P.S. I don't think the UDP for port 631 is needed, but after doing a 'netstat -a', I added it because CUPS was not seeing a connections.

Offline

#2 2005-07-31 16:49:06

T-Dawg
Forum Fellow
From: Charlotte, NC
Registered: 2005-01-29
Posts: 2,736

Re: CUPS Connections + IPTABLES Problems

Iptables can be so tricky...
theres a wiki entry on several different firewall generators. Personally, I prefer quicktables.

Offline

#3 2005-08-01 00:48:24

dekernel
Member
From: Vassar, MI USA
Registered: 2004-03-22
Posts: 117

Re: CUPS Connections + IPTABLES Problems

Well, I think I found my solution after watching tcpdump for some time. It looks like there are ICMP messages sent from Windows on port 631 as well as TCP.

Here is my latest script file that allows the connection.

#!/bin/bash
iptables -F
iptables -X
# By default, allow all outbound requests.
iptables -P OUTPUT  ACCEPT

# By default, deny all inbound requests.
iptables -P INPUT   DROP

# Be default, do not allow forwarding.
iptables -P FORWARD DROP

# Allow all localhost connections.
iptables -A INPUT  -i lo  -j ACCEPT

# Allow inbound ssh connections.
iptables -A INPUT  -p tcp  --destination-port 22  -m state --state NEW  -j ACCEPT

# Allow all inbound http requests.
iptables -A INPUT  -p tcp  --destination-port 80  -m state --state NEW  -j ACCEPT

# Allow all inbound cups requests.
iptables -A INPUT  -p tcp  --destination-port 631  -m state --state NEW  -j ACCEPT
iptables -A INPUT  -p udp  --destination-port 631  -m state --state NEW  -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type echo-request  -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type echo-reply  -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type destination-unreachable  -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT  -p icmp --icmp-type parameter-problem -j ACCEPT

# Maps the outbound requests with the inbound requests.
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 

I grabbed the ICMP lines from Cactus's script that he published.

Offline

Board footer

Powered by FluxBB