telnet disconnects/firewall help?
Greg Dickerson
greg at gtworld.net
Wed Mar 1 17:37:43 PST 2000
As a newbie myself... I would uncomment this line in your firewall script,
#ipchains -A eth0-in -p tcp -s 0/0 23 -y -j ACCEPT
It should read,
ipchains -A eth0-in -p tcp -s 0/0 23 -y -j ACCEPT
It taking from this section,
> ### Uncomment to allow inbound ftp connections
> ### enable telnet first then ftp on 21..
> #ipchains -A eth0-in -p tcp -s 0/0 23 -y -j ACCEPT
> #ipchains -A eth0-in -p tcp -s 0/0 21 -y -j ACCEPT
Telnet is on port 23. port 21 is FTP.
Greg
----- Original Message -----
From: DJ <dgj-dave at pacbell.net>
To: north bay linux user group <nblug-talk at lists.sonic.net>
Sent: Wednesday, March 01, 2000 5:10 PM
Subject: telnet disconnects/firewall help?
> This is probably a simple problem, but being a newbie to ipchains i
> would to again ask for the help of a kind soul. :)
> for a while now i have had my telnet service disabled for security
> purposes, since then I have implimented SAMBA, APACHE and a donated
> RC.FIREWALL script..
> the problem came when i went back into INETD.CONF to enable the telnet
> service and nothing happened.
> I can get a successful telnet connection with my server..
> whenever i run 'telnet 63.199.5.221' from any outside client I get '
> connection to host lost', Would this be related to the firewall
> filtering of telnet? is telnet on port:23?
> like i said i dont fully understand ipchains, but when i do would I need
> to allow all incoming tcp packets on port 23?
> attached is my rc.firewall for reference.. thanks in advance for any
> help you could offer.
> david johnson
> ******************************************begin rc.firewall
> #!/bin/bash
> /sbin/depmod -a
> /sbin/modprobe ip_masq_ftp
> /sbin/modprobe ip_masq_irc
> /sbin/ipchains -M -S 7200 10 160
>
> # BEGIN FIREWALL SETUP
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> echo -n "Starting Spoof Protection..."
> # Setup Spoofing Protection
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $f
> done
> else
> echo "PROBLEMS SETTING UP SPOOFING PROTECTION, BE WORRIED!"
> echo "CONTROL-D will exit this shell and continue startup."
> echo
> # Start single user shell on console
> /sbin/sulogin $CONSOLE
> fi
> echo "done."
>
> ### Start of ip filter rules....
>
> echo -n "Setting IP filter rules..."
> #First set default rule, deny EVERYTHING except localnet interface
>
> ipchains -P input DENY
> ipchains -A input -i lo -s 127.0.0.0/24 -j ACCEPT
>
> # Deny SYN packets on external (DSL) interface
> # I had to disable this because it wouldnt let me retrieve ftp dirs??
> # ipchains -A input -i eth0 -p tcp -y -l -j DENY
>
>
> # Set Filtering Rules for eth1 interface (internal net)
> # Create a new chain for eth1 interface
> ipchains -N eth1-in
> ipchains -A input -i eth1 -j eth1-in
>
> # Set filtering rules for eth1
> ipchains -A eth1-in -b -s 192.168.0.0/24 -j ACCEPT
> ipchains -A eth1-in -s 127.0.0.0/24 -l -j DENY
>
>
> # Set Filtering Rules for eth0 interface (external DSL net)
> # Create a new chain for eth0 interface
> ipchains -N eth0-in
> ipchains -A input -i eth0 -j eth0-in
>
> # Set filtering rules for eth0
> ipchains -A eth0-in -s 0/0 -j ACCEPT
> ipchains -A eth0-in -s 127.0.0.0/24 -l -j DENY
>
> ### Uncomment to allow inbound sendmail connections
> ipchains -A eth0-in -p tcp -s 0/0 25 -y -j ACCEPT
>
> ### Uncomment to allow inbound www connections
> ipchains -A eth0-in -p tcp -s 0/0 80 -y -j ACCEPT
>
> ### Uncomment to allow inbound ftp connections
> ### enable telnet first then ftp on 21..
> #ipchains -A eth0-in -p tcp -s 0/0 23 -y -j ACCEPT
> #ipchains -A eth0-in -p tcp -s 0/0 21 -y -j ACCEPT
>
> ### This is old and not needed for most systems but it's good protection
> for some....
> # Deny "Ping-of-death" packets
> ipchains -A input -p icmp -f -l -j DENY
>
> ### And lastly, forward internal packets to external interface and
> Masqerade!
> # Set ip forwading for local network to internet
> ipchains -A forward -p udp -s 192.168.0.0/24 -j MASQ
> ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ
> ipchains -A forward -p icmp -s 192.168.0.0/24 -j MASQ
>
> echo "done."
>
More information about the talk
mailing list