more on non-working ssh

Mike Parson yellowdog-general@lists.terrasoftsolutions.com
Tue Mar 30 15:09:01 2004 

On Tue, Mar 30, 2004 at 04:00:26PM -0600, Dan Day wrote:
> On Mar 30, 2004, at 3:52 PM, Longman, Bill wrote:
>>> iptables can give you a big headache if you're not up on your
>>> networking and firewall theory type stuff.  Instead of attacking
>>> iptables directly, try using lokkit, which gives you an easier to
>>> use interface to the iptables rules.
>>
>> LOL! That's what put the rules in!!!
>>
>> So much for your "ease of use" argument, Mike....
>>
>> Well, then again, maybe not. I guess it's *too* easy! Any ole boffin
>> can now stuff up their 'puter!
>>
>> I'm not knocking you guys, Dan or Nathan. I've been on the same
>> receiving end of a beating with the clueless stick....Lord knows
>> *that's* a fact!
>
> I'll be the first to admit I had no idea what iptables were before
> this so no offense taken or anything. I'm still learning. So what put
> those rules in to begin with? I've certainly never edited the iptables
> or used lokkit directly. Unless something else I was messing with
> added those rules I'm still clueless as to how they got there.

Those look like the default lokkit rules for a 'medium' firewall
settings when you first installed YDL.

See my prev post on how to add ssh to your allowed protocols list
via lokkit, or add the line:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

to /etc/sysconfig/iptables, right after the one that looks like:

-A INPUT -j RH-Lokkit-0-50-INPUT

Mine, freshly configured with medium settings + ssh:

[/etc/sysconfig]# cat iptables 
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT


I say using lokkit was easier than figuring out, just from the man page:

iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

-- 
Michael Parson
mparson@bl.org