On Thu, Jul 10, 2008 at 6:29 PM, Filipe Brandenburger filbranden@gmail.com wrote:
Try using "iptables -vL", it will show you how many packets have matched that rule. Then try to rsh or rlogin and see if the numbers change. That should give you a clue to whether it's working or not.
Before:
6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:login 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:shell 619 22772 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
[summarized to include only the relevant ports]
After:
6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:login 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:shell 619 22772 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Interesting that the shell count went up to 6 and the reject count did not change, but no login occurred:
[mrichter@khan mrichter]$ rsh sushi ls sushi: Connection refused
I might not have waited long enough for the reject count to go up - just repeated the experiment and got this:
[before] 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:login 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:shell 627 23044 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
[after] 6 360 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:login 12 720 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:shell 628 23072 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
But why is it still rejecting the login, or is it the placement of the lines?
P.S.: Once again: although it's great that you are digging into the problem, using iptables, and learning a lot on the process, you should *REALLY* consider ditching rsh/rlogin and sticking to SSH. I would consider using rsh/rlogin instead of SSH today about the same as using gopher instead of the WWW these days (for those of you who still remember it).
Did that - this is just for my better understanding of the whole setup.