You are not logged in.
- Topics: Active | Unanswered
#1 2005-07-31 16:43:21
- dekernel
- Member
- From: Vassar, MI USA
- Registered: 2004-03-22
- Posts: 117
CUPS Connections + IPTABLES Problems
I seem to be having a problem allowing CUPS connections after enabling iptables. My rules are simple so I am not sure what is incorrect.
My needs are to just allow ssh, http from the outside world as well as internally (192.168.1.). I only want cups connections from my internal connections (192.168.1.). My web connectons and ssh connections appear to be OK, but I can't get the printers to work once I enable the firewall rules.
/etc/hosts.allow
#
# /etc/hosts.allow
#
ALL: ALL: ALLOW
sshd: 192.168.1.
sshd: 127.0.0.1
sshd: xxx.xxx.xxx.xxx (my work IP)
cups: 192.168.1.
# End of fileThe script that I use to create the rules:
#!/bin/bash
iptables -F
iptables -X
# By default, allow all outbound requests.
iptables -P OUTPUT ACCEPT
# By default, deny all inbound requests.
iptables -P INPUT DROP
# Be default, do not allow forwarding.
iptables -P FORWARD DROP
# Allow all localhost connections.
iptables -A INPUT -i lo -j ACCEPT
# Allow inbound ssh connections.
iptables -A INPUT -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow all inbound http requests.
iptables -A INPUT -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
# Allow all inbound cups requests.
iptables -A INPUT -p tcp --destination-port 631 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --destination-port 631 -m state --state NEW -j ACCEPT
# Maps the outbound requests with the inbound requests.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Obviously I am missing something because it is not working, but I don't have a clue as to what I am missing.
P.S. I don't think the UDP for port 631 is needed, but after doing a 'netstat -a', I added it because CUPS was not seeing a connections.
Offline
#2 2005-07-31 16:49:06
- T-Dawg
- Forum Fellow
- From: Charlotte, NC
- Registered: 2005-01-29
- Posts: 2,736
Re: CUPS Connections + IPTABLES Problems
Iptables can be so tricky...
theres a wiki entry on several different firewall generators. Personally, I prefer quicktables.
Offline
#3 2005-08-01 00:48:24
- dekernel
- Member
- From: Vassar, MI USA
- Registered: 2004-03-22
- Posts: 117
Re: CUPS Connections + IPTABLES Problems
Well, I think I found my solution after watching tcpdump for some time. It looks like there are ICMP messages sent from Windows on port 631 as well as TCP.
Here is my latest script file that allows the connection.
#!/bin/bash
iptables -F
iptables -X
# By default, allow all outbound requests.
iptables -P OUTPUT ACCEPT
# By default, deny all inbound requests.
iptables -P INPUT DROP
# Be default, do not allow forwarding.
iptables -P FORWARD DROP
# Allow all localhost connections.
iptables -A INPUT -i lo -j ACCEPT
# Allow inbound ssh connections.
iptables -A INPUT -p tcp --destination-port 22 -m state --state NEW -j ACCEPT
# Allow all inbound http requests.
iptables -A INPUT -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
# Allow all inbound cups requests.
iptables -A INPUT -p tcp --destination-port 631 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp --destination-port 631 -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
# Maps the outbound requests with the inbound requests.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT I grabbed the ICMP lines from Cactus's script that he published.
Offline