FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-10-2008, 10:40 PM
MHR
 
Default Understanding iptables

On Thu, Jul 10, 2008 at 3:17 PM, Barry Brimer <lists@brimer.org> wrote:
> Quoting MHR <mhullrich@gmail.com>:
>
>> In following up on the rsh "problem" I was having earlier, I decided
>> to try out the suggestion Felipe sent about using
>> system-config-securitylevel-tui to open up ports 513 and 514, but that
>> doesn't seem to do the job, either.
>
> I could be remembering this wrong, but I believe these are udp, not tcp.
>
> Barry

According to http://www.spirit.com/Resources/ports.html, the udp
services on those ports are who and syslog....

Thanks.

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-10-2008, 10:59 PM
"William L. Maltby"
 
Default Understanding iptables

On Thu, 2008-07-10 at 15:40 -0700, MHR wrote:
> On Thu, Jul 10, 2008 at 3:17 PM, Barry Brimer <lists@brimer.org> wrote:
> > Quoting MHR <mhullrich@gmail.com>:
> >
> >><snip>

> >> system-config-securitylevel-tui to open up ports 513 and 514, but that
> >> doesn't seem to do the job, either.
> >
> > I could be remembering this wrong, but I believe these are udp, not tcp.
> >
> > Barry
>
> According to http://www.spirit.com/Resources/ports.html, the udp
> services on those ports are who and syslog....

>From the authoritative /etc/services

:g/51[34]/p
login 513/tcp
who 513/udp whod
shell 514/tcp cmd # no passwords used
syslog 514/udp

Just thought you should know that you have this and /etc/protocols
locally so you don't have to trust some unknown website.

And it's faster to lookup locally, of course.

>
> Thanks.
>
> mhr
> <snip sig stuff>

--
Bill

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 01:29 AM
"Filipe Brandenburger"
 
Default Understanding iptables

On Thu, Jul 10, 2008 at 6:08 PM, MHR <mhullrich@gmail.com> wrote:
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:login
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:shell

It seems right to me...

Try using "iptables -vL", it will show you how many packets have
matched that rule. Then try to rsh or rlogin and see if the numbers
change. That should give you a clue to whether it's working or not.

HTH,
Filipe


P.S.: Once again: although it's great that you are digging into the
problem, using iptables, and learning a lot on the process, you should
*REALLY* consider ditching rsh/rlogin and sticking to SSH. I would
consider using rsh/rlogin instead of SSH today about the same as using
gopher instead of the WWW these days (for those of you who still
remember it).
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 01:43 AM
"Spiro Harvey, Knossos Networks Ltd"
 
Default Understanding iptables

P.S.: Once again: although it's great that you are digging into the
problem, using iptables, and learning a lot on the process, you should
*REALLY* consider ditching rsh/rlogin and sticking to SSH. I would
consider using rsh/rlogin instead of SSH today about the same as using
gopher instead of the WWW these days (for those of you who still
remember it).


what are you talking about? I'm writing a Tor wrapper that funnels all
my http requests thru gopher for extra security. It's called Gor. And
I'm writing it in GW-BASIC!


we don't need no steenkin new fangled tecnomologies.

next you'll be telling me our internets shouldn't use tubes.


--
Spiro Harvey Knossos Networks Ltd
021-295-1923 www.knossos.net.nz

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 01:53 AM
MHR
 
Default Understanding iptables

On Thu, Jul 10, 2008 at 6:29 PM, Filipe Brandenburger
<filbranden@gmail.com> wrote:
>
> Try using "iptables -vL", it will show you how many packets have
> matched that rule. Then try to rsh or rlogin and see if the numbers
> change. That should give you a clue to whether it's working or not.
>

Before:

6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:login
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:shell
619 22772 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited

[summarized to include only the relevant ports]

After:

6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:login
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:shell
619 22772 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited

Interesting that the shell count went up to 6 and the reject count did
not change, but no login occurred:

[mrichter@khan mrichter]$ rsh sushi ls
sushi: Connection refused

I might not have waited long enough for the reject count to go up -
just repeated the experiment and got this:

[before]
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:login
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:shell
627 23044 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited

[after]
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:login
12 720 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:shell
628 23072 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited

But why is it still rejecting the login, or is it the placement of the lines?

> P.S.: Once again: although it's great that you are digging into the
> problem, using iptables, and learning a lot on the process, you should
> *REALLY* consider ditching rsh/rlogin and sticking to SSH. I would
> consider using rsh/rlogin instead of SSH today about the same as using
> gopher instead of the WWW these days (for those of you who still
> remember it).

Did that - this is just for my better understanding of the whole setup.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 01:58 AM
MHR
 
Default Understanding iptables

On Thu, Jul 10, 2008 at 6:43 PM, Spiro Harvey, Knossos Networks Ltd
<spiro@knossos.net.nz> wrote:
>
> next you'll be telling me our internets shouldn't use tubes.
>

You're up to tubes? Hippy freak!

mhr
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 02:36 AM
"Filipe Brandenburger"
 
Default Understanding iptables

On Thu, Jul 10, 2008 at 9:53 PM, MHR <mhullrich@gmail.com> wrote:
> [mrichter@khan mrichter]$ rsh sushi ls
> sushi: Connection refused

Are you sure the daemons are up and listening on those ports? What
does "netstat -ltp" says on sushi?

Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 02:42 AM
Robert Spangler
 
Default Understanding iptables

On Thursday 10 July 2008 18:08, MHR wrote:

> In following up on the rsh "problem" I was having earlier, I decided
> to try out the suggestion Felipe sent about using
> system-config-securitylevel-tui to open up ports 513 and 514, but that
> doesn't seem to do the job, either.
>
> # iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere

[snip]

I hate reading the firewall like this.
Could you post /etc/sysconfig/iptables?


--

Regards
Robert

Smile... it increases your face value!
Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 02:49 AM
"Filipe Brandenburger"
 
Default Understanding iptables

On Thu, Jul 10, 2008 at 10:42 PM, Robert Spangler
<mlists@zoominternet.net> wrote:
> Could you post /etc/sysconfig/iptables?

/etc/sysconfig/iptables doesn't necessarily reflect what is running
right now, and you can't include the counters with it.

An acceptable compromise would be posting the output of the
"iptables-save -c" command, which doesn't have the two issues above.

However, I still think that anyone handling firewalls on Linux using
iptables should be familiar with the output of "iptables -nvL" which
IMO is quite useful itself.

Filipe
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-11-2008, 11:15 AM
"William L. Maltby"
 
Default Understanding iptables

On Thu, 2008-07-10 at 21:29 -0400, Filipe Brandenburger wrote:
> <snip>

> P.S.: Once again: although it's great that you are digging into the
> problem, using iptables, and learning a lot on the process, you should
> *REALLY* consider ditching rsh/rlogin and sticking to SSH. I would
> consider using rsh/rlogin instead of SSH today about the same as using
> gopher instead of the WWW these days (for those of you who still
> remember it).

Of course! And it has a new career too! NASCAR on Fox has an "in track"
camera system that uses gopher as its character. They have named it
"Digger".

> <snip sig stuff>

--
Bill

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 12:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org