Red Hat 8.0 Firewall woes

I just installed RHL 8. 0 on a crappy old box. I intend to use it as a gateway and webserver and didn't install X. It doesn't have much RAM anyway. So, when I installed it, I selected the medium firewall setting, which apparently blocks all ports through 1023 and two more.

Linux Security 40 This topic was started by ,


data/avatar/default/avatar34.webp

2 Posts
Location -
Joined 2003-04-06
I just installed RHL 8.0 on a crappy old box. I intend to use it as a gateway and webserver and didn't install X. It doesn't have much RAM anyway.
 
So, when I installed it, I selected the "medium" firewall setting, which apparently blocks all ports through 1023 and two more. That means ssh is blocked, so my task was to figure out how to allow ssh to this box WITHOUT USING A GUI TOOL. Should be simple enough, right? Just use iptables.
 
Here's the default iptables listing for the system:
 

Code:
Chain INPUT (policy ACCEPT)target     prot opt source               destinationRH-Lokkit-0-50-INPUT  all  --  anywhere             anywhereChain FORWARD (policy ACCEPT)target     prot opt source               destinationChain OUTPUT (policy ACCEPT)target     prot opt source               destinationChain RH-Lokkit-0-50-INPUT (1 references)target     prot opt source               destinationACCEPT     all  --  anywhere             anywhereREJECT     tcp  --  anywhere             anywhere           tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachableREJECT     tcp  --  anywhere             anywhere           tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachableREJECT     udp  --  anywhere             anywhere           udp dpts:0:1023 reject-with icmp-port-unreachableREJECT     udp  --  anywhere             anywhere           udp dpt:nfs reject-with icmp-port-unreachableREJECT     tcp  --  anywhere             anywhere           tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachableREJECT     tcp  --  anywhere             anywhere           tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
 
Well, let me just list some things that haven't worked.
 
1) Adding an 'ACCEPT' rule to the RH-LOKKIT table for tcp on port 22.
2) Flushing the INPUT table so it doesn't send packets through the firewall rules, or changing it to ACCEPT all from anywhere.
3) Changing sshd to listen at ports 2002 and 8002 -- which shouldn't even be covered by the firewall.
 
This is with the default install of sshd and firewall -- I haven't changed any sshd options other than the port. In all cases, I can ssh to the box from localhost, ssh out from the box to my other box (the DHCP server), but not ssh from my other box to this box (as either root or regular user) -- the connection is denied. In all cases, nmap shows a bunch of ports free locally on the box but shows no ports open from my dhcp server.
 
The only thing I can think of is that (a) iptables needs some command to actually activate the rule changes I make -- I'm assuming everything is effective immediately -- or ( something is wonky about iptables on my DHCP server -- I can't imagine what, though.
 
Any advice, please?

Participate on our website and join the conversation

You have already an account on our website? Use the link below to login.
Login
Create a new user account. Registration is free and takes only a few seconds.
Register
This topic is archived. New comments cannot be posted and votes cannot be cast.

Responses to this topic


data/avatar/default/avatar34.webp

2 Posts
Location -
Joined 2003-04-06
OP
Thank, I'll try that out. I guess, though, in addition to getting a working system (I mean, I could always just reinstall...), I'd like to understand what I was missing previously.

data/avatar/default/avatar38.webp

64 Posts
Location -
Joined 2003-01-03
It'll help you a lot... it works very well... I have always said learn by example... *REAL* examples... *WORKING* examples....
 
That is what I have given you...
 
There are quite a few books on IPTABLES.... New Riders has a couple of good books on IPTABLES.