[CentOS] Understanding iptables
MHR
mhullrich at gmail.com
Fri Jul 11 01:53:12 UTC 2008
On Thu, Jul 10, 2008 at 6:29 PM, Filipe Brandenburger
<filbranden at gmail.com> wrote:
>
> Try using "iptables -vL", it will show you how many packets have
> matched that rule. Then try to rsh or rlogin and see if the numbers
> change. That should give you a clue to whether it's working or not.
>
Before:
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:login
0 0 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:shell
619 22772 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited
[summarized to include only the relevant ports]
After:
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:login
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:shell
619 22772 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited
Interesting that the shell count went up to 6 and the reject count did
not change, but no login occurred:
[mrichter at khan mrichter]$ rsh sushi ls
sushi: Connection refused
I might not have waited long enough for the reject count to go up -
just repeated the experiment and got this:
[before]
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:login
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:shell
627 23044 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited
[after]
6 360 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:login
12 720 ACCEPT tcp -- any any anywhere
anywhere state NEW tcp dpt:shell
628 23072 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited
But why is it still rejecting the login, or is it the placement of the lines?
> P.S.: Once again: although it's great that you are digging into the
> problem, using iptables, and learning a lot on the process, you should
> *REALLY* consider ditching rsh/rlogin and sticking to SSH. I would
> consider using rsh/rlogin instead of SSH today about the same as using
> gopher instead of the WWW these days (for those of you who still
> remember it).
Did that - this is just for my better understanding of the whole setup.
More information about the CentOS
mailing list