[SOLVED] iptables and network scanner

eriol · 2020-11-10 08:23:09

Hi

I can not find what I am missing, so I need some help.

With iptables stopped on my local server, my scanner is perfectly working. With iptables started, using simple-scan, the scanner is activated, and scans, but on the client side the image is never received.

I followed the wiki and added a file

nf_conntrack_sane.conf

under

/etc/modules-load.d/

(not sure if this was necessary).

This is the result of

#iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ctstate NEW
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain TCP (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ipp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ipp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:snmp state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:printer state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8095 state NEW,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sane-port

Chain UDP (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:mdns state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp dpt:mdns state NEW,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere             udp spt:snmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sane-port

I think I am missing something about conntrack, so did some attempts, but went nowehere

Last edited by eriol (2020-11-12 08:39:26)

schard · 2020-11-10 09:49:12

Did you read and follow these instructions?
https://wiki.archlinux.org/index.php/SANE#Firewall

Last edited by schard (2020-11-10 09:49:32)

eriol · 2020-11-10 10:21:01

schard wrote:

Did you read and follow these instructions?
https://wiki.archlinux.org/index.php/SANE#Firewall

Yes, but, as stated in

/etc/sane.d/saned.conf

## Daemon options
# Port range for the data connection. Choose a range inside [1024 - 65535].
# Avoid specifying too large a range, for performance reasons.
#
# ONLY use this if your saned server is sitting behind a firewall. If your
# firewall is a Linux machine, we strongly recommend using the
# Netfilter nf_conntrack_sane connection tracking module instead.
#

I would like to use nf_conntrack_sane instead of opening a port range for the data connection. As far as I can understand, using nf_conntrack_sane makes unecessary to open the data port range. Am I wrong?

Lone_Wolf · 2020-11-10 11:31:59

sane page on archwiki wrote:

To set up the server, first indicate which hosts on your network are allowed access.

Which addresses did you add ?

please post the output of

$ scanimage -L

eriol · 2020-11-10 11:41:07

Lone_Wolf wrote:

sane page on archwiki wrote:
To set up the server, first indicate which hosts on your network are allowed access.
Which addresses did you add ?

localhost
192.168.1.0/24

Lone_Wolf wrote:

please post the output of
$ scanimage -L

on client

$ scanimage -L
device `net:192.168.1.52:xerox_mfp:libusb:001:002' is a Samsung M2070 Series multi-function peripheral

schard · 2020-11-10 11:46:12

wiki wrote:

so you must enable connections to 6566/tcp and data_portrange from /etc/sane.d/saned.conf or use conntrack firewall module for sane to enable data ports as described above

I read that as

6566/tcp AND (data_portrange from /etc/sane.d/saned.conf OR use conntrack firewall module)

not as

(6566/tcp AND data_portrange from /etc/sane.d/saned.conf) OR use conntrack firewall module

But since I do not have a network attached scanner, I did not test this.
In any case, I'd check whether allowing 6566/tcp makes it work for you.

eriol · 2020-11-10 12:07:20

schard wrote:

In any case, I'd check whether allowing 6566/tcp makes it work for you.

That should already be allowed (see sane-port in iptables -L)

I think I miss some rule that says ti iptables that connection related to sane on some data port can be accepted.
I tryed with something like

 -A TCP -p tcp -m conntrack --cstate ESTBLISHED,RELATED -m helper --helper sane -j ACCEPT

and some other variants, but had no result.

Last edited by eriol (2020-11-10 12:15:15)

seth · 2020-11-10 15:09:24

added a file nf_conntrack_sane.conf under /etc/modules-load.d/

cat /etc/modules-load.d/nf_conntrack_sane.conf
lsmod | grep conntrack

eriol · 2020-11-10 15:22:29

seth wrote:

added a file nf_conntrack_sane.conf under /etc/modules-load.d/
cat /etc/modules-load.d/nf_conntrack_sane.conf
lsmod | grep conntrack

xt_conntrack           16384  13
nf_conntrack          172032  2 xt_conntrack,xt_state
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  1 nf_conntrack
x_tables               53248  6 xt_conntrack,iptable_filter,xt_state,xt_tcpudp,ipt_REJECT,ip_tables

seth · 2020-11-10 15:24:46

sudo modprobe nf_conntrack-sane

I assume the file is empty?
https://wiki.archlinux.org/index.php/Ke … th_systemd

eriol · 2020-11-10 16:05:28

seth wrote:

sudo modprobe nf_conntrack-sane
I assume the file is empty?
https://wiki.archlinux.org/index.php/Ke … th_systemd

Sorry, I did not notice the cat in your previous answer.
Anyway, before my previous answer, I removed /etc/modules-load.d/nf_conntrack_sane.conf for one of the attempts (and did not work, anyway).

Now,

# cat /etc/modules-load.d/nf_conntrack_sane.conf 
nf_conntrack_sane

#lsmod | grep conntrack
xt_conntrack           16384  13
nf_conntrack_sane      20480  0
nf_conntrack          172032  3 xt_conntrack,xt_state,nf_conntrack_sane
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  1 nf_conntrack
x_tables               53248  6 xt_conntrack,iptable_filter,xt_state,xt_tcpudp,ipt_REJECT,ip_tables

modprobe nf_conntrack_sane

give no output

But client still does not receive image

Lone_Wolf · 2020-11-10 17:21:57

tipbox from wiki wrote:

Note: saned intentionally refuses to share scanners that use the net: backend (which includes some USB scanners). There is a crude patch to allow this in FS#54786, but note it may cause problems on some networks. Check output of scanimage -L on the server to see the scanner url.

What is the output of scanimage -L on the server

eriol · 2020-11-11 09:06:32

Lone_Wolf wrote:

tipbox from wiki wrote:
Note: saned intentionally refuses to share scanners that use the net: backend (which includes some USB scanners). There is a crude patch to allow this in FS#54786, but note it may cause problems on some networks. Check output of scanimage -L on the server to see the scanner url.
What is the output of scanimage -L on the server

# scanimage -L
device `xerox_mfp:libusb:001:004' is a Samsung M2070 Series multi-function peripheral

seth · 2020-11-11 12:16:51

https://wiki.archlinux.org/index.php/Iptables#Logging so we might see where this hangs.

eriol · 2020-11-11 16:16:17

seth wrote:

https://wiki.archlinux.org/index.php/Iptables#Logging so we might see where this hangs.

I made a couple of attempts to see if the ports involved are the same.

# journalctl -k | grep "IN=.*OUT=.*"
nov 11 17:01:21 minipcchio kernel: IN=enp2s0 OUT= MAC=$(mac) SRC=192.168.1.156 DST=192.168.1.52 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9642 DF PROTO=TCP SPT=54542 DPT=38083 WINDOW=64240 RES=0x00 SYN URGP=0

# journalctl -k | grep "IN=.*OUT=.*"
nov 11 17:07:16 minipcchio kernel: IN=enp2s0 OUT= MAC=$(mac) SRC=192.168.1.156 DST=192.168.1.52 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21701 DF PROTO=TCP SPT=49350 DPT=43629 WINDOW=64240 RES=0x00 SYN URGP=0

(Btw using the data port range works, but I want to understand why nf_conntrack does not)

seth · 2020-11-11 21:37:12

http://home.regit.org/wp-content/upload … lpers.html

Conntrack helpers seem to be disabled by default, you must either explicitly assign them to the rule or enable them via /proc/sys/net/netfilter/nf_conntrack_helper

eriol · 2020-11-12 08:35:26

seth wrote:

http://home.regit.org/wp-content/upload … lpers.html
Conntrack helpers seem to be disabled by default, you must either explicitly assign them to the rule or enable them via /proc/sys/net/netfilter/nf_conntrack_helper

So this

# echo "options nf_conntrack nf_conntrack_helper=1" >> /etc/modprobe.d/local.conf

seems to solve the question

Thank you everyone for your help

Arch Linux

#1 2020-11-10 08:23:09

[SOLVED] iptables and network scanner

#2 2020-11-10 09:49:12

Re: [SOLVED] iptables and network scanner

#3 2020-11-10 10:21:01

Re: [SOLVED] iptables and network scanner

#4 2020-11-10 11:31:59

Re: [SOLVED] iptables and network scanner

#5 2020-11-10 11:41:07

Re: [SOLVED] iptables and network scanner

#6 2020-11-10 11:46:12

Re: [SOLVED] iptables and network scanner

#7 2020-11-10 12:07:20

Re: [SOLVED] iptables and network scanner

#8 2020-11-10 15:09:24

Re: [SOLVED] iptables and network scanner

#9 2020-11-10 15:22:29

Re: [SOLVED] iptables and network scanner

#10 2020-11-10 15:24:46

Re: [SOLVED] iptables and network scanner

#11 2020-11-10 16:05:28

Re: [SOLVED] iptables and network scanner

#12 2020-11-10 17:21:57

Re: [SOLVED] iptables and network scanner

#13 2020-11-11 09:06:32

Re: [SOLVED] iptables and network scanner

#14 2020-11-11 12:16:51

Re: [SOLVED] iptables and network scanner

#15 2020-11-11 16:16:17

Re: [SOLVED] iptables and network scanner

#16 2020-11-11 21:37:12

Re: [SOLVED] iptables and network scanner

#17 2020-11-12 08:35:26

Re: [SOLVED] iptables and network scanner

Board footer