telnet disconnects/firewall help?

Greg Dickerson greg at gtworld.net
Wed Mar 1 17:37:43 PST 2000


As a newbie myself... I would uncomment this line in your firewall script,
#ipchains -A eth0-in -p tcp -s 0/0 23 -y -j ACCEPT
It should read,
ipchains -A eth0-in -p tcp -s 0/0 23 -y -j ACCEPT

It taking from this section,

> ### Uncomment to allow inbound ftp connections
> ### enable telnet first then ftp on 21..
> #ipchains -A eth0-in -p tcp -s 0/0 23 -y -j ACCEPT
> #ipchains -A eth0-in -p tcp -s 0/0 21 -y -j ACCEPT

Telnet is on port 23. port 21 is FTP.

Greg

----- Original Message ----- 
From: DJ <dgj-dave at pacbell.net>
To: north bay linux user group <nblug-talk at lists.sonic.net>
Sent: Wednesday, March 01, 2000 5:10 PM
Subject: telnet disconnects/firewall help?


> This is probably a simple problem, but being a newbie to ipchains i
> would to again ask for the help of a kind soul. :)
> for a while now i have had my telnet service disabled for security
> purposes, since then I have implimented SAMBA, APACHE and a donated
> RC.FIREWALL script..
> the problem came when i went back into INETD.CONF to enable the telnet
> service and nothing happened.
> I can get a successful telnet connection with my server..
> whenever i run 'telnet 63.199.5.221' from any outside client I get '
> connection to host lost', Would this be related to the firewall
> filtering of telnet? is telnet on port:23?
> like i said i dont fully understand ipchains, but when i do would I need
> to allow all incoming tcp packets on port 23?
> attached is my rc.firewall for reference.. thanks in advance for any
> help you could offer.
> david johnson
> ******************************************begin rc.firewall
> #!/bin/bash
> /sbin/depmod -a
> /sbin/modprobe ip_masq_ftp
> /sbin/modprobe ip_masq_irc
> /sbin/ipchains -M -S 7200 10 160
> 
> # BEGIN FIREWALL SETUP
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> echo -n "Starting Spoof Protection..."
> # Setup Spoofing Protection
> if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
>    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>    echo 1 > $f
>    done
> else
>    echo "PROBLEMS SETTING UP SPOOFING PROTECTION, BE WORRIED!"
>    echo "CONTROL-D will exit this shell and continue startup."
>    echo
> # Start single user shell on console
>    /sbin/sulogin $CONSOLE
> fi
> echo "done."
> 
> ### Start of ip filter rules....
> 
> echo -n "Setting IP filter rules..."
> #First set default rule, deny EVERYTHING except localnet interface
> 
> ipchains -P input DENY
> ipchains -A input -i lo -s 127.0.0.0/24 -j ACCEPT
> 
> # Deny SYN packets on external (DSL) interface
> # I had to disable this because it wouldnt let me retrieve ftp dirs??
> # ipchains -A input -i eth0 -p tcp -y -l -j DENY
> 
> 
> # Set Filtering Rules for eth1 interface (internal net)
> # Create a new chain for eth1 interface
> ipchains -N eth1-in
> ipchains -A input -i eth1 -j eth1-in
> 
> # Set filtering rules for eth1
> ipchains -A eth1-in -b -s 192.168.0.0/24 -j ACCEPT
> ipchains -A eth1-in -s 127.0.0.0/24 -l -j DENY
> 
> 
> # Set Filtering Rules for eth0 interface (external DSL net)
> # Create a new chain for eth0 interface
> ipchains -N eth0-in
> ipchains -A input -i eth0 -j eth0-in
> 
> # Set filtering rules for eth0
> ipchains -A eth0-in -s 0/0 -j ACCEPT
> ipchains -A eth0-in -s 127.0.0.0/24 -l -j DENY
> 
> ### Uncomment to allow inbound sendmail connections
> ipchains -A eth0-in -p tcp -s 0/0 25 -y -j ACCEPT
> 
> ### Uncomment to allow inbound www connections
> ipchains -A eth0-in -p tcp -s 0/0 80 -y -j ACCEPT
> 
> ### Uncomment to allow inbound ftp connections
> ### enable telnet first then ftp on 21..
> #ipchains -A eth0-in -p tcp -s 0/0 23 -y -j ACCEPT
> #ipchains -A eth0-in -p tcp -s 0/0 21 -y -j ACCEPT
> 
> ### This is old and not needed for most systems but it's good protection
> for some....
> # Deny "Ping-of-death" packets
> ipchains -A input -p icmp -f -l -j DENY
> 
> ### And lastly, forward internal packets to external interface and
> Masqerade!
> # Set ip forwading for local network to internet
> ipchains -A forward -p udp -s 192.168.0.0/24 -j MASQ
> ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ
> ipchains -A forward -p icmp -s 192.168.0.0/24 -j MASQ
> 
> echo "done."
> 




More information about the talk mailing list