more on non-working ssh
Mike Parson
yellowdog-general@lists.terrasoftsolutions.com
Tue Mar 30 15:09:01 2004
On Tue, Mar 30, 2004 at 04:00:26PM -0600, Dan Day wrote:
> On Mar 30, 2004, at 3:52 PM, Longman, Bill wrote:
>>> iptables can give you a big headache if you're not up on your
>>> networking and firewall theory type stuff. Instead of attacking
>>> iptables directly, try using lokkit, which gives you an easier to
>>> use interface to the iptables rules.
>>
>> LOL! That's what put the rules in!!!
>>
>> So much for your "ease of use" argument, Mike....
>>
>> Well, then again, maybe not. I guess it's *too* easy! Any ole boffin
>> can now stuff up their 'puter!
>>
>> I'm not knocking you guys, Dan or Nathan. I've been on the same
>> receiving end of a beating with the clueless stick....Lord knows
>> *that's* a fact!
>
> I'll be the first to admit I had no idea what iptables were before
> this so no offense taken or anything. I'm still learning. So what put
> those rules in to begin with? I've certainly never edited the iptables
> or used lokkit directly. Unless something else I was messing with
> added those rules I'm still clueless as to how they got there.
Those look like the default lokkit rules for a 'medium' firewall
settings when you first installed YDL.
See my prev post on how to add ssh to your allowed protocols list
via lokkit, or add the line:
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
to /etc/sysconfig/iptables, right after the one that looks like:
-A INPUT -j RH-Lokkit-0-50-INPUT
Mine, freshly configured with medium settings + ssh:
[/etc/sysconfig]# cat iptables
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
I say using lokkit was easier than figuring out, just from the man page:
iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
--
Michael Parson
mparson@bl.org