Of Firewalls and PC Printing

1.How do you block access to specific ports from unknown hosts and networks?

1.How do you block access to specific ports from unknown hosts and networks?

There are two firewall technologies, ipchains and iptables, that can block network access to a server or services. Let’s take a quick look at both.

Assuming that you already have iptables or ipchains installed, configuration is simple — as long as you plan ahead. Planning is key, especially when deploying computer security.

There are two approaches to system security: Explicitly deny what you do not want, and explicitly allow what you do want. Any security consultant worth his or her PGP key will recommend the latter approach. The philosophy is that it’s much easier to allow what you want and keep everything else locked up safely, rather than to try to keep up with everything that’s impermissible. In other words, reject everything unless there’s a good reason to make an exception.

Let’s say that you only want to accept incoming ssh connections from the host at Using iptables, the following commands configure the firewall to enforce that rule:

/sbin/iptables -A INPUT -s\ -destination-port ssh -j ACCEPT
/sbin/iptables -A INPUT -destination-port\ ssh -i eth0 -j DROP

Each iptable command defines a single firewall rule, and rules are processed in the order in which they’re defined.

The first command defines the rule, “If the incoming connection (designated by the -A INPUT option) originates from host and is an ssh request, accept the connection.” The second command defines the rule, “Reject all incoming connections requesting ssh.” The first rule is the exception. The second rule is the golden rule: refuse access to every host.

ipchains works in a very similar fashion. ipchains manages three default chains: input, output, and forward, where each chain is simply a set of rules, and the three chains are associated with incoming packets (input), outgoing packets (output), and packets being forwarded to another port (forward). In ipchains, each chain can also have a default policy. The policy is used if no rules exist in a chain.

For the question at hand, we only need to configure the input chain. We start by erasing all existing input rules, and then establish a policy that all incoming requests be denied:

# ipchains -F input
# ipchains -P input DENY

To accept a connection from, we add an input rule specific to that host and the ssh service (which listens to port 22). Again, we use ipchains to define the new rule:

# ipchains -A input -i eth0 -p tcp \
-s –source-port 22 -j ACCEPT

The latter command establishes an input rule that states, “If an inbound (-A input) TCP (-p tcp) connection from adapter eth0 (-i eth0) is requesting port 22, and the connection originates from host (-s, then accept the connection.”

Whether you use iptables or ipchains, you can configure your Linux machine to define these firewall rules each time you boot. And just to be safe, if you ever make any changes to the rules, reboot your system and test the new configuration. Verify that the rules you defined do what you want them to do.

2.Can my Windows PC use my Linux printer?

Yes, it’s very easy to share your Linux printer. Here’s what to do:

  1. Install TCP/IP print services on the PC. For example, under Windows XP, click “Start,” “Control Panel,” “Add or Remove Programs,” and choose “Add/Remove Windows Components.” Then check “Other Network File and Print Services,” click on “Next” and then “Finish.”

  2. Connect to the printer. Again, under Windows XP, click “Start,” “Printers and Faxes,” “Add a Printer,” and “Next.” Select “Local printer,” uncheck “Automatically detect,” then click “Next.” Create a new “LPR port,” and click “Next.”

Enter the name or address of the Linux printer host and the name of the Linux printer, and click “OK.” Select the manufacturer and model of the printer, and click “Next”. Finally, set the printer’s name and decide if you want it to be the default printer for your computer. Click “Next.”

Try to print a test page. If nothing prints, click on “Troubleshoot” to diagnose the problem. If you cannot connect, check /etc/printcap to be sure that the printer is defined. If it is, then check /etc/lpd.perm, /etc/hosts.lpd, and /etc/lpd.conf. Also, make sure your PC’s name is in DNS or /etc/hosts.

That’s all there is to it.

John R. S. Mascio is a systems and network manager. He can be reached at mascio@ryu.com.

Comments are closed.