[Tfug] OK guys enough

Brian Murphy tfug@tfug.org
Tue Jul 9 15:48:01 2002 

On Tue, Jul 09, 2002 at 07:19:27AM -0700, Erich Flothmeier wrote:
> Linux security is much improved since the dark days of 
> kernel 2.0.35. It's almost too good: for example I can't log onto
> my new machine from an existing machine. I keep getting a "connection
> refused" message. Telnet and rsh are out. What are some things besides
> the Security_HOWTO that I can get. I don't want to compromize security
> on this machine. I want to know how to authenticate to it in today's 
> Linux world.

Sounds like you may have kernel firewalling on.

ipchains -L  will show you.  Here is an example:

# ipchains -L
Chain input (policy ACCEPT):
target     prot opt     source                destination           ports
ACCEPT     tcp  -y----  anywhere             anywhere              any ->   ssh
ACCEPT     udp  ------  lyra.U.Arizona.EDU   anywhere              domain ->   1025:65535
ACCEPT     all  ------  anywhere             anywhere              n/a
REJECT     tcp  -y----  anywhere             anywhere              any ->   0:1023
REJECT     tcp  -y----  anywhere             anywhere              any ->   nfs
REJECT     udp  ------  anywhere             anywhere              any ->   0:1023
REJECT     udp  ------  anywhere             anywhere              any ->   nfs
REJECT     tcp  -y----  anywhere             anywhere              any ->   x11:6009
REJECT     tcp  -y----  anywhere             anywhere              any ->   xfs
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):

If you don't see all of the ACCEPT and REJECT lines, then you don't have
it, and can ignore this email.

If you do have it, and are on redhat, you'll have a file named
/etc/sysconfig/ipchains.  Here is my copy:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 22 -y -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT
-A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
-A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT


Copy and paste the second input filter and replace 22 with whatever port
you want open (22 is SSH).  The ipchains man page has full details.

Brian