You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2008-05-30 04:21:30
- Gonzakpo
- Member
- Registered: 2008-05-17
- Posts: 45
Arno-iptables-firewall and CUPS
Hello everyone.
I'm having a problem with my firewall and CUPS. The thing is, when I try to print when the firewall is active the programs (kword, kcontrol, etc) can't contact cups daemon. But when the firewall is stopped I can print normally. The problem is obviously something with the firewall configuration.
So, the question is, does anyone know how should I configure the firewall (Arno's iptables firewall) in order to solve this problem?. I thought about opening the cups port (631) but this wouldn't be the best solution. I don't want to open a port that shouldn't be open.
The weird thing is that I can access cups thru localhost:631 using konqueror but incredibly slowly. I don't know why the firewall is blocking cups.
I almost forget. Before you ask the printer is connected direcly to my computer. Is not a network printer. I have the needed module loaded (usblp) and the cups server is running.
Thanks in advance,
Gonza
Last edited by Gonzakpo (2008-06-20 20:16:20)
Offline
#2 2008-05-30 06:21:32
- Redroar
- Member
- Registered: 2008-03-17
- Posts: 200
Re: Arno-iptables-firewall and CUPS
Do the following commands with root privileges, and iptables running and see if it works.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Honestly it just sounds like the loopback isn't getting cleared by the firewall....
What exactly is "Arno's" iptables firewall?
Stop looking at my signature. It betrays your nature.
Offline
#3 2008-05-30 07:34:00
- Purch
- Member
- From: Finland
- Registered: 2006-02-23
- Posts: 229
Re: Arno-iptables-firewall and CUPS
Arno iptables firewall is a iptables script ( http://rocky.eld.leidenuniv.nl/ ).
Gonzakpo: I have Arno and cups running in my server and it works in my LAN. Do you have some other services that does not work in localhost when arno is running?
Offline
#4 2008-05-30 15:15:16
- Gonzakpo
- Member
- Registered: 2008-05-17
- Posts: 45
Re: Arno-iptables-firewall and CUPS
Hello.
Redroar: Those rules didn't work. Thanks anyway.
Purch: Not really. The only thing that I have is a switch between the DSL modem and my computer. I have two computers at home but they are not even networked. The switch purpose is only the redistribution of the internet connection.
The problem is really weird becase I looked for a solution everywhere and nobody seems to have my problem :S
I've installed it from AUR.
Offline
#5 2008-05-30 15:29:52
- Gonzakpo
- Member
- Registered: 2008-05-17
- Posts: 45
Re: Arno-iptables-firewall and CUPS
Couldn't be something wrong with the new kernel and iptables?
Another weird thing. If I start up my computer without firewall everything works OK but if I put the arno-iptables-firewall daemon on my rc.conf the printer becomes unreacheable for all the programs EXCEPT konqueror.
And the "funny" thing is that once I booted my computer with the firewall, if I disable it (stop the daemon) the printer still doesn't work. I have to restart the computer and the printer is back in the game...
weeeirrrd.. 
Offline
#6 2008-05-30 15:53:19
- Purch
- Member
- From: Finland
- Registered: 2006-02-23
- Posts: 229
Re: Arno-iptables-firewall and CUPS
hmm, I have not upgraded my kernel to 2.6.25. I cannot check this yet, but soon I upgrade the kernel and until then I cannot help you.
There seems to be a new beta of the firewall script. I will update the package soon. There is nothing related to this in the arno mailing list.
Offline
#7 2008-05-30 16:05:21
- Redroar
- Member
- Registered: 2008-03-17
- Posts: 200
Re: Arno-iptables-firewall and CUPS
Hmmm. Try doing iptables -F and see if it works after that. If not, then re-run Arno's script and post the output of iptables -vL.
Stop looking at my signature. It betrays your nature.
Offline
#8 2008-05-30 16:48:41
- Gonzakpo
- Member
- Registered: 2008-05-17
- Posts: 45
Re: Arno-iptables-firewall and CUPS
Hello.
I tried the command iptables -F but nothing. The cups server is still unreacheable by kcontrol.
After running arno's firewall, the iptables -vL output is:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
15 2568 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED tcp dpts:1024:65535
0 0 ACCEPT udp -- any any anywhere anywhere state RELATED udp dpts:1024:65535
0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED
8 1515 HOST_BLOCK all -- any any anywhere anywhere
8 1515 SPOOF_CHK all -- any any anywhere anywhere
8 1515 VALID_CHK all -- eth0 any anywhere anywhere
8 1515 EXT_INPUT_CHAIN !icmp -- eth0 any anywhere anywhere state NEW
0 0 EXT_INPUT_CHAIN icmp -- eth0 any anywhere anywhere state NEW limit: avg 60/sec burst 100
0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 any anywhere anywhere state NEW
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `Dropped INPUT packet: '
0 0 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
0 0 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED tcp dpts:1024:65535
0 0 ACCEPT udp -- any any anywhere anywhere state RELATED udp dpts:1024:65535
0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED
0 0 HOST_BLOCK all -- any any anywhere anywhere
0 0 UPNP_FORWARD all -- eth0 !eth0 anywhere anywhere
0 0 SPOOF_CHK all -- any any anywhere anywhere
0 0 VALID_CHK all -- eth0 any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere limit: avg 1/min burst 3 LOG level info prefix `Dropped FORWARD packet: '
0 0 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 8 packets, 552 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
7 340 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
8 552 HOST_BLOCK all -- any any anywhere anywhere
0 0 LOG all -f any any anywhere anywhere limit: avg 3/min burst 5 LOG level info prefix `FRAGMENTED PACKET (OUT): '
0 0 DROP all -f any any anywhere anywhere
8 552 EXT_OUTPUT_CHAIN all -- any eth0 anywhere anywhere
Chain DMZ_INET_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain DMZ_INPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain DMZ_LAN_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain EXT_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain EXT_ICMP_FLOOD_CHAIN (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG icmp -- any any anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 LOG icmp -- any any anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp time-exceeded
0 0 LOG icmp -- any any anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp parameter-problem
0 0 LOG icmp -- any any anywhere anywhere icmp echo-request limit: avg 12/hour burst 1 LOG level info prefix `ICMP-request(ping) flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp echo-request
0 0 LOG icmp -- any any anywhere anywhere icmp echo-reply limit: avg 12/hour burst 1 LOG level info prefix `ICMP-reply(pong) flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp echo-reply
0 0 LOG icmp -- any any anywhere anywhere icmp source-quench limit: avg 12/hour burst 1 LOG level info prefix `ICMP-source-quench flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp source-quench
0 0 LOG icmp -- any any anywhere anywhere limit: avg 12/hour burst 1 LOG level info prefix `ICMP(other) flood: '
0 0 DROP icmp -- any any anywhere anywhere
Chain EXT_INPUT_CHAIN (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `TCP port 0 OS fingerprint: '
0 0 LOG udp -- any any anywhere anywhere udp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `UDP port 0 OS fingerprint: '
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:0
0 0 DROP udp -- any any anywhere anywhere udp dpt:0
0 0 LOG tcp -- any any anywhere anywhere tcp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `TCP source port 0: '
0 0 LOG udp -- any any anywhere anywhere udp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `UDP source port 0: '
0 0 DROP tcp -- any any anywhere anywhere tcp spt:0
0 0 DROP udp -- any any anywhere anywhere udp spt:0
4 1314 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
0 0 ACCEPT tcp -- + any anywhere anywhere tcp dpt:4872
0 0 ACCEPT udp -- + any anywhere anywhere udp dpt:4875
0 0 LOG icmp -- any any anywhere anywhere icmp echo-request limit: avg 3/min burst 1 LOG level info prefix `ICMP-request: '
0 0 LOG icmp -- any any anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable: '
0 0 LOG icmp -- any any anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded: '
0 0 LOG icmp -- any any anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem: '
0 0 DROP icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 DROP icmp -- any any anywhere anywhere icmp time-exceeded
0 0 DROP icmp -- any any anywhere anywhere icmp parameter-problem
0 0 DROP icmp -- any any anywhere anywhere icmp echo-request
0 0 DROP icmp -- any any anywhere anywhere icmp echo-reply
0 0 LOG tcp -- any any anywhere anywhere tcp dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (UNPRIV)?: '
0 0 LOG tcp -- any any anywhere anywhere tcp dpts:0:1023 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (PRIV)?: '
0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- any any anywhere anywhere tcp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
0 0 LOG udp -- any any anywhere anywhere udp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
2 96 LOG tcp -- any any anywhere anywhere tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
1 57 LOG udp -- any any anywhere anywhere udp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
3 144 DROP tcp -- any any anywhere anywhere
1 57 DROP udp -- any any anywhere anywhere
0 0 DROP icmp -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `Other-IP connection attempt: '
0 0 DROP all -- any any anywhere anywhere
Chain EXT_OUTPUT_CHAIN (1 references)
pkts bytes target prot opt in out source destination
Chain HOST_BLOCK (3 references)
pkts bytes target prot opt in out source destination
Chain INET_DMZ_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain LAN_INET_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain LAN_INPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain MAC_FILTER (0 references)
pkts bytes target prot opt in out source destination
Chain POST_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain POST_INPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain POST_OUTPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain RESERVED_NET_CHK (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any 10.0.0.0/8 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class A address: '
0 0 LOG all -- any any 172.16.0.0/12 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class B address: '
0 0 LOG all -- any any 192.168.0.0/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class C address: '
0 0 LOG all -- any any 169.254.0.0/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class M$ address: '
0 0 DROP all -- any any 10.0.0.0/8 anywhere
0 0 DROP all -- any any 172.16.0.0/12 anywhere
0 0 DROP all -- any any 192.168.0.0/16 anywhere
0 0 DROP all -- any any 169.254.0.0/16 anywhere
Chain SPOOF_CHK (2 references)
pkts bytes target prot opt in out source destination
8 1515 RETURN all -- any any anywhere anywhere
Chain UPNP_FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain VALID_CHK (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-PSH scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-ALL scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/min burst 5 LOG level info prefix `Stealth FIN scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/RST scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/FIN scan(?): '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/min burst 5 LOG level info prefix `Stealth Null scan: '
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 DROP tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 LOG tcp -- any any anywhere anywhere tcp option=64 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(64): '
0 0 LOG tcp -- any any anywhere anywhere tcp option=128 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(128): '
0 0 DROP tcp -- any any anywhere anywhere tcp option=64
0 0 DROP tcp -- any any anywhere anywhere tcp option=128
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 LOG all -f any any anywhere anywhere limit: avg 3/min burst 1 LOG level warning prefix `Fragmented packet: '
0 0 DROP all -f any any anywhere anywhereOffline
#9 2008-05-31 01:49:10
- Redroar
- Member
- Registered: 2008-03-17
- Posts: 200
Re: Arno-iptables-firewall and CUPS
I honestly don't see anything wrong with that script...But I do realize that the command (iptables -F) should have been followed by:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
So do iptables -F, then those three. That should pretty much cripple anything useful iptables does, but it can see if somehow the mere fact that it's running, whether or not it's filtering anything messes it up.
I can confirm that my up to date (just Syu'ed a couple minutes ago) system can use CUPS fine, with a firewall relatively similar to your own. Oh, and what architecture are you on?
Stop looking at my signature. It betrays your nature.
Offline
#10 2008-05-31 11:05:20
- Purch
- Member
- From: Finland
- Registered: 2006-02-23
- Posts: 229
Re: Arno-iptables-firewall and CUPS
I see you use kde. I fixed mine by configuring Print Manager (Control Center/Peripherals/Printers) to connect to '127.0.0.1' instead of the 'localhost'.
Offline
#11 2008-05-31 11:24:52
- Gonzakpo
- Member
- Registered: 2008-05-17
- Posts: 45
Re: Arno-iptables-firewall and CUPS
thank you guys for the answers.
Well I'm starting to think that there is something wrong with KDEmod. I tried changing the iptables rules and but the printer is still unreacheable.
I'll try what Purch said later. I'm late for class 
Thanks again. I'll post the result later.
Offline
#12 2008-05-31 11:35:19
- Purch
- Member
- From: Finland
- Registered: 2006-02-23
- Posts: 229
Re: Arno-iptables-firewall and CUPS
I use KDEmod too. The fix was for kde from suse forums (posted 2006).
Offline
#13 2008-05-31 17:31:33
- Gonzakpo
- Member
- Registered: 2008-05-17
- Posts: 45
Re: Arno-iptables-firewall and CUPS
Redroar, Purch thank you sooo much for your help.
Purch, that "trick" fixed my problem!! I would never have figured it out on my own. Thank you!! I wonder why the kdemod guys didn't fix it long time ago.
Moderators: you can mark this topic as solved! 
Offline
#14 2008-05-31 17:37:46
- Purch
- Member
- From: Finland
- Registered: 2006-02-23
- Posts: 229
Re: Arno-iptables-firewall and CUPS
Gonzakpo: You can change the topic by editing your first post
Offline
#15 2008-05-31 17:40:26
- Gonzakpo
- Member
- Registered: 2008-05-17
- Posts: 45
Re: Arno-iptables-firewall and CUPS
Alright. I've already changed it. Thank you again.
Offline
#16 2008-05-31 17:59:21
- tigrmesh
- IRC Op
- From: Florida, US
- Registered: 2007-12-11
- Posts: 792
Re: Arno-iptables-firewall and CUPS
Moderators: you can mark this topic as solved!
Mark this as solved by changing the subject line (edit your first post).
Offline
#17 2008-06-20 20:16:03
- Gonzakpo
- Member
- Registered: 2008-05-17
- Posts: 45
Re: Arno-iptables-firewall and CUPS
Hello everyone.
I have bad news. My printer stopped working again and don't know why...
This time I'm almost sure that the problem isn't the firewall. There must be something else...
Both the kernel and cups detect the printer. Cups is running fine of course. I've changed the configuration of KDEmod from localhost to 127.0.0.1 and nothing...
When I try to print anything Kjobviewer appears saying that the job is being processed but nothing happends then. It's like if the printer were inaccesible.
I hope somebody can help me (again :S).
Thanks.
Offline
Pages: 1