Koozali.org: home of the SME Server

unable to open port 60148

doumebzh

unable to open port 60148
« on: October 18, 2002, 02:48:50 PM »
hello,
excuse me for my english
I have got a problem to use a Domino 5 server on SME 5.1.2
I can open port 60148 to the internet, used by Domino.
From the internet, ports 80 and 22 are open, but not 60148
Thank you for your help.
Here is what I have try (it doesn't work):

STEP 1: login as: root

STEP 2: Create the new template directories:

mkdir -p /etc/e-smith/templates-custom/etc mkdir -p /etc/e-smith/templates-custom/etc/rc.d

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d



STEP 3: Copy the existing templates to the custom area:

cp -rp /etc/e-smith/templates/etc/rc.d/init.d/masq /etc/e-smith/templates-custom/etc/rc.d/init.d/

STEP 4:  Change to the custom directory:

cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

STEP 5: Create new file:

pico 45AllowDIIOP





STEP 6: add this line

X = my server's DNS
Y = the IP of my server on the internet

/sbin/ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 60148
/sbin/ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d localhost 60148
/sbin/ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d XXXXXXXXX 60148
/sbin/ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d YYY.YYY.YYY.YYY 60148



/sbin/ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 60148
/sbin/ipchains -A input -j ACCEPT -p tcp -s localhost -d 0.0.0.0/0 60148
/sbin/ipchains -A input -j ACCEPT -p tcp -s XXXXXXXXXX -d 0.0.0.0/0 60148
/sbin/ipchains -A input -j ACCEPT -p tcp -s YYY.YYY.YYY.YYY d 0.0.0.0/0 60148



STEP 7: SAVE the file using CTRL-X

STEP 8: Expand the templates

/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

STEP 9: Tell SME Server to update the live config

/sbin/e-smith/signal-event remoteaccess-update

STEP 10: Reboot Server

Jochen Hoegerl

Re: unable to open port 60148
« Reply #1 on: October 20, 2002, 12:57:44 AM »
Are you sure the port is not open ??
According to the Notes-forum
( http://www-10.lotus.com/ldd/46dom.nsf?OpenDatabase )
there is a problem with diiop if you have multiple nic's in your server.
diiop does not know on which nic it should listen, therefor you must
bind it to a nic.

As I don't now how to do that, maybe you should ask your question
there.

jochen

doumebzh

Re: unable to open port 60148
« Reply #2 on: October 21, 2002, 11:52:24 AM »
#!/bin/sh

#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# e-smith server and gateway software. Instead, modify the source
# template in the /etc/e-smith/templates directory. For more
# information, see http://www.e-smith.org.
#
# copyright (C) 1999, 2000 e-smith, inc.
#------------------------------------------------------------


# chkconfig: 345 82 35
# description: Configures IP masquerading.

case "$1" in

 start)
    echo -n "Enabling IP masquerading: "


    /sbin/ipchains -F
    /sbin/ipchains -X
    /sbin/ipchains --flush  forward
    /sbin/ipchains --flush  input
    /sbin/ipchains --flush  output
    /sbin/modprobe ip_masq_cuseeme
    /sbin/modprobe ip_masq_ftp
    /sbin/modprobe ip_masq_h323
    /sbin/modprobe ip_masq_icq
    # Loading of masq module ipsec disabled in configuration
    /sbin/modprobe ip_masq_irc
    /sbin/modprobe ip_masq_pptp
    # Loading of masq module quake disabled in configuration
    /sbin/modprobe ip_masq_rtsp
    /sbin/modprobe ip_masq_vdolive

    INTERNALIF=eth0
    OUTERIF=eth1
    OUTERNET=$(/sbin/e-smith/db configuration get ExternalIP)
    if [ -z "$OUTERNET" ]
    then
   # Make sure that OUTERNET value is set to syntactly valid value
   # to ensure that ipchains syntax is at least correct
   OUTERNET=1.2.3.4
    fi


    /sbin/ipchains --policy forward DENY

    /sbin/ipchains --new-chain denylog
    /sbin/ipchains --new-chain icmpIn
    /sbin/ipchains --append input --protocol icmp --jump icmpIn
    /sbin/ipchains --new-chain icmpOut
    /sbin/ipchains --append output --protocol icmp --jump icmpOut
    # This section manipulates the Type Of Service (TOS) bits of the
    # packet. For this to work, you must have CONFIG_IP_ROUTE_TOS enabled
    # in your kernel

    # Set telnet, www, smtp, pop3 and FTP for minimum delay
    /sbin/ipchains --append output -p tcp -d 0/0 80 -t 0x01 0x10   
    /sbin/ipchains --append output -p tcp -d 0/0 22 -t 0x01 0x10  
    /sbin/ipchains --append output -p tcp -d 0/0 23 -t 0x01 0x10  
    /sbin/ipchains --append output -p tcp -d 0/0 21 -t 0x01 0x10
    /sbin/ipchains --append output -p tcp -d 0/0 110 -t 0x01 0x10
    /sbin/ipchains --append output -p tcp -d 0/0 25 -t 0x01 0x10

    # Set ftp-data for maximum throughput
    /sbin/ipchains --append output -p tcp -d 0/0 20 -t 0x01 0x08

    ## Set up kernel to handle dynamic IP masquerading
    echo 1 > /proc/sys/net/ipv4/ip_dynaddr

    ## Set up kernel to enable IP masquerading
    echo 1 > /proc/sys/net/ipv4/ip_forward

    # set timeouts for tcp tcpfin udp
    /sbin/ipchains --masquerading --set 14400 60 600
    # Block incoming IP Spoofing

    # Turn on Source Address Verification

    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
     then  
      for f in /proc/sys/net/ipv4/conf/*/rp_filter
      do
       echo 1 > $f
      done
      echo "0" > /proc/sys/net/ipv4/conf/default/rp_filter
      echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter
    fi

    #Turn on SYN COOKIES PROTECTION (Thanks Holger!)
    if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
     then  
      echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    fi


    /sbin/ipchains --append input -i lo -j ACCEPT
    /sbin/ipchains --append output -i lo -j ACCEPT
    /sbin/ipchains --append input  -i ppp0 -j ACCEPT
    /sbin/ipchains --append output -i ppp0 -j ACCEPT
    /sbin/ipchains --append input  -i ppp1 -j ACCEPT
    /sbin/ipchains --append output -i ppp1 -j ACCEPT



    /sbin/ipchains --append input -p TCP -s 0/0 :19 -i $OUTERIF -j denylog
    /sbin/ipchains --append input -p UDP -s 0/0 :19 -i $OUTERIF -j denylog

    /sbin/ipchains --append input -p TCP -d 0/0 :19 -i $OUTERIF -j denylog
    /sbin/ipchains --append input -p UDP -d 0/0 :19 -i $OUTERIF -j denylog

    /sbin/ipchains --append input -s 224.0.0.0/4   -j DENY
    /sbin/ipchains --append input -d 224.0.0.0/4    -j DENY

    /sbin/ipchains --append output -s 224.0.0.0/4    -j DENY
    /sbin/ipchains --append output -d 224.0.0.0/4    -j DENY
    /sbin/ipchains --append input -p tcp --destination 127.0.0.1 80 -j ACCEPT
    /sbin/ipchains --append input -p tcp --destination 192.168.1.24 80 -j ACCEPT
    /sbin/ipchains --append input -p tcp --destination $OUTERNET 80 -j ACCEPT
    /sbin/ipchains --append input -p tcp --source 192.168.1.0/255.255.255.0 --destination 0.0.0.0/0 80 -j REDIRECT 3128

    /sbin/ipchains --append icmpIn --proto icmp --icmp-type echo-reply --jump ACCEPT
    /sbin/ipchains --append icmpIn --proto icmp --icmp-type destination-unreachable --jump ACCEPT
    /sbin/ipchains --append icmpIn --proto icmp --icmp-type source-quench --jump ACCEPT
    /sbin/ipchains --append icmpIn --proto icmp --icmp-type time-exceeded --jump ACCEPT
    /sbin/ipchains --append icmpIn --proto icmp --icmp-type parameter-problem --jump ACCEPT
    /sbin/ipchains --append icmpIn --proto icmp --icmp-type echo-request --jump ACCEPT

    /sbin/ipchains --append icmpOut --proto icmp --icmp-type echo-request --jump ACCEPT
    /sbin/ipchains --append icmpOut --proto icmp --icmp-type echo-reply --jump ACCEPT
    /sbin/ipchains --append icmpOut --proto icmp --icmp-type destination-unreachable --jump ACCEPT
    /sbin/ipchains --append icmpOut --proto icmp --icmp-type source-quench --jump ACCEPT
    /sbin/ipchains --append icmpOut --proto icmp --icmp-type time-exceeded --jump ACCEPT
    /sbin/ipchains --append icmpOut --proto icmp --icmp-type parameter-problem --jump ACCEPT

    # Allow outgoing ICMP
    /sbin/ipchains --append output -p icmp --source 192.168.1.0/255.255.255.0 --destination 0.0.0.0/0 -j ACCEPT


    /sbin/ipchains --append forward -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT
    /sbin/ipchains --append forward -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT
    /sbin/ipchains --append input -s 192.168.1.0/255.255.255.0 -d 0/0 -j ACCEPT
    /sbin/ipchains --append output -d 192.168.1.0/255.255.255.0 -s 0/0 -j ACCEPT

    # Allow packets with ack bit set, they are from an established connection.
    /sbin/ipchains --append input ! -y -p tcp -s 0.0.0.0/0 -i $OUTERIF -j ACCEPT

    /sbin/ipchains --append forward -j MASQ --source 192.168.1.0/255.255.255.0 --destination 0.0.0.0/0


    /sbin/ipchains -A input -p tcp -s 0/0 -d $OUTERNET 113 -j ACCEPT
    /sbin/ipchains -A input -p udp -s 0/0 -d $OUTERNET 113 -j ACCEPT



 
/sbin/ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 60148
/sbin/ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 60148





    # Accept incoming ESP packets
    # Don't bother about AH packets here, as you can't masq them
    /sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT

    # Accept incoming IKE packets
    /sbin/ipchains --append input -p udp -s 0/0 500 -d $OUTERNET 500 -j ACCEPT


    /sbin/ipchains -A input -p udp -s 193.49.205.17 -d 0/0 123 -j ACCEPT


    /sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 1723 -j ACCEPT
    /sbin/ipchains --append input -p 47 -s 0/0 -d $OUTERNET -j ACCEPT


    # Accept incoming GRE packets
    /sbin/ipchains --append input -p 47 -s 0/0 -d $OUTERNET -j ACCEPT


    /sbin/ipchains --append input -p tcp -s 0/0 -d $OUTERNET 22 -j ACCEPT
    /sbin/ipchains --append output ! -y -p tcp -d 0/0 -s $OUTERNET 22 -j ACCEPT



    /sbin/ipchains --append input -p tcp -y -s 0/0 -d $OUTERNET 3306 -j denylog

    # Ignore RIP - we configure with static or server assigned gateways
    # If you want to log packets, set the Logging property of masq to "all"

    /sbin/ipchains -A input -i $OUTERIF -p udp -d 0/0 520 --jump DENY

    # Ignore random SMB junk on the external interface - don't even bother
    # logging it as it is so common on cable and other shared networks
    # If you want to log packets, set the Logging property of masq to "all"

    /sbin/ipchains -A input -i $OUTERIF -p tcp -d 0/0 137:139 --jump DENY
    /sbin/ipchains -A input -i $OUTERIF -p udp -d 0/0 137:139 --jump DENY

    /sbin/ipchains --append input -p tcp -y -s 0/0 -d $OUTERNET 3128 -j denylog

    # Allow inbound connections from port ftp-data to high ports
    /sbin/ipchains --append input -p tcp -y -s 0/0 20 -d $OUTERNET 1024:65535 -j ACCEPT

    /sbin/ipchains --append input -p tcp -s 0/0 -d 0/0 1024:65535 -j ACCEPT

    /sbin/ipchains --append input -p udp -s 0/0 -d 0/0 1024:65535 -j ACCEPT

    # Logging is disabled - set Logging property of masq service to enable
    /sbin/ipchains --append denylog --jump DENY

    /sbin/ipchains --append icmpIn --jump denylog
    /sbin/ipchains --append icmpOut --jump denylog
   
    /sbin/ipchains --policy forward DENY
    /sbin/ipchains --append forward --jump DENY
   
    /sbin/ipchains --policy input DENY
    /sbin/ipchains --append input --jump denylog
   
    /sbin/ipchains --policy output ACCEPT
    /sbin/ipchains --append output --jump ACCEPT
    echo "done"
    ;;



masqstop)
      echo ""
      echo -n "Shuting down IP Masquerading:"
      /sbin/ipchains -F forward
      /sbin/ipchains -P forward DENY
      echo "      Done!"
      echo "" ;;
restart)
        $0 stop
        $0 start
        ;;



stop)
     echo ""
     echo -n "Shutting down IP masquerade and firewall rules:"
     /sbin/ipchains -P forward DENY
     /sbin/ipchains -P output ACCEPT
     /sbin/ipchains -P input DENY
     /sbin/ipchains -F input
     /sbin/ipchains -F output
     /sbin/ipchains -F forward
     /sbin/ipchains -F
    /sbin/ipchains --append forward -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j ACCEPT
     /sbin/ipchains -X
     echo "      Done!"
     echo "" ;;


 *)
    echo "Usage: masq {start|stop|restart|...}"
    exit 1

esac
exit 0

#------------------------------------------------------------
# TEMPLATE END
#------------------------------------------------------------

doumebzh

oops! it last something
« Reply #3 on: October 21, 2002, 03:34:13 PM »
Thank you Jochen!
multiple nics may be a problem.

But I am obviously sure that port 60148 is really closed from the internet, and open from the local network. I used two port scanners : IP tools and an other one under GPL license (I don't remember the name). Both said that port 60148 is open using internal IP, and closed using external IP.
Perhaps it is a syntax problem -or a problem of order of the rules-in the 'masq' file?
But my knowledge is very very poor about ipchains. It is the reason why I give it in the previous message. I hope somebody can find some error in it.
The lines I have added in that file are :
/sbin/ipchains -A output -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 60148
/sbin/ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 60148
... But it does'nt work!
Thank you for any help
D