Jump to content


Photo

Red Hat 8.0 Firewall woes


  • Please log in to reply
3 replies to this topic

#1 SoSiouxMe

SoSiouxMe

    stranger

  • Members
  • 2 posts

Posted 06 April 2003 - 07:57 PM

I just installed RHL 8.0 on a crappy old box. I intend to use it as a gateway and webserver and didn't install X. It doesn't have much RAM anyway.

So, when I installed it, I selected the "medium" firewall setting, which apparently blocks all ports through 1023 and two more. That means ssh is blocked, so my task was to figure out how to allow ssh to this box WITHOUT USING A GUI TOOL. Should be simple enough, right? Just use iptables.

Here's the default iptables listing for the system:

Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Lokkit-0-50-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     tcp  --  anywhere             anywhere           tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp dpt:nfs reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     tcp  --  anywhere             anywhere           tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable


Well, let me just list some things that haven't worked.

1) Adding an 'ACCEPT' rule to the RH-LOKKIT table for tcp on port 22.
2) Flushing the INPUT table so it doesn't send packets through the firewall rules, or changing it to ACCEPT all from anywhere.
3) Changing sshd to listen at ports 2002 and 8002 -- which shouldn't even be covered by the firewall.

This is with the default install of sshd and firewall -- I haven't changed any sshd options other than the port. In all cases, I can ssh to the box from localhost, ssh out from the box to my other box (the DHCP server), but not ssh from my other box to this box (as either root or regular user) -- the connection is denied. In all cases, nmap shows a bunch of ports free locally on the box but shows no ports open from my dhcp server.

The only thing I can think of is that (a) iptables needs some command to actually activate the rule changes I make -- I'm assuming everything is effective immediately -- or (B) something is wonky about iptables on my DHCP server -- I can't imagine what, though.

Any advice, please?

#2 gfolkert

gfolkert

    journeyman

  • Members
  • 64 posts

Posted 06 April 2003 - 11:09 PM

This IPTABLES script. I wrote this one.

It works REALLY well... It just works.

#3 SoSiouxMe

SoSiouxMe

    stranger

  • Members
  • 2 posts

Posted 08 April 2003 - 12:53 AM

Thank, I'll try that out. I guess, though, in addition to getting a working system (I mean, I could always just reinstall...), I'd like to understand what I was missing previously.

#4 gfolkert

gfolkert

    journeyman

  • Members
  • 64 posts

Posted 08 April 2003 - 01:32 AM

It'll help you a lot... it works very well... I have always said learn by example... *REAL* examples... *WORKING* examples....

That is what I have given you...

There are quite a few books on IPTABLES.... New Riders has a couple of good books on IPTABLES.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

IPB Skin By Virteq