Jump to content
Compatible Support Forums
Sign in to follow this  
SoSiouxMe

Red Hat 8.0 Firewall woes

Recommended Posts

I just installed RHL 8.0 on a crappy old box. I intend to use it as a gateway and webserver and didn't install X. It doesn't have much RAM anyway.

 

So, when I installed it, I selected the "medium" firewall setting, which apparently blocks all ports through 1023 and two more. That means ssh is blocked, so my task was to figure out how to allow ssh to this box WITHOUT USING A GUI TOOL. Should be simple enough, right? Just use iptables.

 

Here's the default iptables listing for the system:

 

Code:
Chain INPUT (policy ACCEPT)target     prot opt source               destinationRH-Lokkit-0-50-INPUT  all  --  anywhere             anywhereChain FORWARD (policy ACCEPT)target     prot opt source               destinationChain OUTPUT (policy ACCEPT)target     prot opt source               destinationChain RH-Lokkit-0-50-INPUT (1 references)target     prot opt source               destinationACCEPT     all  --  anywhere             anywhereREJECT     tcp  --  anywhere             anywhere           tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachableREJECT     tcp  --  anywhere             anywhere           tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachableREJECT     udp  --  anywhere             anywhere           udp dpts:0:1023 reject-with icmp-port-unreachableREJECT     udp  --  anywhere             anywhere           udp dpt:nfs reject-with icmp-port-unreachableREJECT     tcp  --  anywhere             anywhere           tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachableREJECT     tcp  --  anywhere             anywhere           tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable

 

Well, let me just list some things that haven't worked.

 

1) Adding an 'ACCEPT' rule to the RH-LOKKIT table for tcp on port 22.

2) Flushing the INPUT table so it doesn't send packets through the firewall rules, or changing it to ACCEPT all from anywhere.

3) Changing sshd to listen at ports 2002 and 8002 -- which shouldn't even be covered by the firewall.

 

This is with the default install of sshd and firewall -- I haven't changed any sshd options other than the port. In all cases, I can ssh to the box from localhost, ssh out from the box to my other box (the DHCP server), but not ssh from my other box to this box (as either root or regular user) -- the connection is denied. In all cases, nmap shows a bunch of ports free locally on the box but shows no ports open from my dhcp server.

 

The only thing I can think of is that (a) iptables needs some command to actually activate the rule changes I make -- I'm assuming everything is effective immediately -- or (B) something is wonky about iptables on my DHCP server -- I can't imagine what, though.

 

Any advice, please?

Share this post


Link to post

Thank, I'll try that out. I guess, though, in addition to getting a working system (I mean, I could always just reinstall...), I'd like to understand what I was missing previously.

Share this post


Link to post

It'll help you a lot... it works very well... I have always said learn by example... *REAL* examples... *WORKING* examples....

 

That is what I have given you...

 

There are quite a few books on IPTABLES.... New Riders has a couple of good books on IPTABLES.

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×