There is one NIC and it's part of a campus network. Due to the network topology that I have no control over I have one NIC and all the machines are on a public network.
I'm trying to add an additional layer of security to the LTSP server by allowing only the authorized clients to connect and having it be locked out to other prying eyes. I'm actually close to getting it, but the PXE boot is using ports that are all over the place so I keep ending up with them outside my ruleset. Quoting Ken Cobler <[EMAIL PROTECTED]>: > Brian Payst wrote: > > >I have a lovely LTSP set-up which I'm trying to add a level of > security > >to via IPTables on the LTSP server. For the life of me I can't seem > to > >get past a TFTP time-out. Below is the script I'm using to load the > >rules. Anyone done this successfully? > > > ># flush chains > >$IPTABLES -F > > > ># delete user defined chains > >$IPTABLES -X > > > ># set default policies (deny everything) > >$IPTABLES -P INPUT DROP > >$IPTABLES -P FORWARD DROP > >$IPTABLES -P OUTPUT DROP > > > >$IPTABLES -A INPUT -i eth0 -p udp --dport 67:68 --sport 67:68 -j > ACCEPT > >$IPTABLES -A INPUT -i eth0 -p tcp --dport 547 -j ACCEPT > >$IPTABLES -A INPUT -i eth0 -p udp --dport 547 -j ACCEPT > >$IPTABLES -A INPUT -i eth0 -p tcp --dport 69 -j ACCEPT > >$IPTABLES -A INPUT -i eth0 -p udp --dport 69 -j ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 1758 -j > ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 1758 -j > ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 177 -j > ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 177 -j > ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 4000:4002 > -j > >ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 4000:4002 > -j > >ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 2049 -j > ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 2049 -j > ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p tcp --dport 111 -j > ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $DHCP_CLIENTS -p udp --dport 111 -j > ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $MONITOR -p tcp --dport 22 -j ACCEPT > >$IPTABLES -A INPUT -i eth0 -s $MONITOR -p udp --dport 22 -j ACCEPT > >$IPTABLES -A OUTPUT -s $DHCP_CLIENTS -p tcp --dport 69 -j ACCEPT > >$IPTABLES -A OUTPUT -s $DHCP_CLIENTS -p udp --dport 69 -j ACCEPT > > > > > > > I guess I do not understand why you want to put an iptables filter > for a > LTSP workstation that is on LAN. For local access only, I wouldn't > use > iptables at all (ACCEPT for default policy). In LTSP, all the > programs are running on the LTSP server. The video output, keyboard > and > mouse are being handled by the workstation. So, as long as you do > not > NFS mount directories from the workstation to the server, there is no > > need for iptables. Security is at the level as your LTSP server > currently is configured. > > If the LTSP server is directly connected to the Internet, through > another ethernet card, I would set iptables to allow local access > via: > > # Set variables > IPTABLES="/sbin/iptables" > LAN_IFACE="eth0" > INET_IFACE="eth1" > > # Default policy is DROP (do not reply) > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT DROP > $IPTABLES -P FORWARD DROP > > # Unlimited traffic on loopback > $IPTABLES -A INPUT -i lo -j ACCEPT > $IPTABLES -A OUTPUT -o lo -j ACCEPT > > # Unlimited traffic on LAN > $IPTABLES -A INPUT -i $LAN_IFACE -j ACCEPT > $IPTABLES -A OUTPUT -o $LAN_IFACE -j ACCEPT > > Ken Cobler > > > > > > ------------------------------------------------------- > The SF.Net email is sponsored by EclipseCon 2004 > Premiere Conference on Open Tools Development and Integration > See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. > http://www.eclipsecon.org/osdn > _____________________________________________________________________ > Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss > For additional LTSP help, try #ltsp channel on irc.freenode.net > Brian Payst Director of Technology & Systems Support Division of Student Affairs The University of North Carolina at Chapel Hill voice:(919)962-1469 fax:(919)962-5241 ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
