LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices



Reply
 
Search this Thread
Old 07-01-2007, 07:27 AM   #1
gimmee
Member
 
Registered: Jul 2006
Location: New Zealand
Distribution: Fedora 17 64bit (Desktop) Fedora 15 (Laptop)
Posts: 98

Rep: Reputation: 16
Talking FC6 need comments on my iptables please.


Hi all

Can someone help me understand my iptables. I am trying to understand how my port 22 is open yet I dont see it being opened or blocked in iptables. Still getting a handle on this iptables stuff. I put in the rules for azureus (40260) and amsn (6890). Apart from that I dont think I have done anything for iptables.

The reason I ask is I can sftp into my FC6 desktop from my laptop which is running Ubuntu and using Nautilus. Just doing little steps on this networking and sharing part so havent used nfs, openssh or samba yet. Sftp works well at moment to get access to desktop. When I try and sftp to the ubuntu laptop I get denied because the port 22 is not open. So why is it blocked on Ubuntu when it doesnt show up in iptables yet in my FC6 the port is open even though I dont think I have allowed it to be open.

Hope I havent been too confusing.

I have done a listing of my ports and iptables on my FC6 Desktop/

Code:
[root@STI ~]#  nmap -sS -F -O 192.168.1.100

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-01 22:54 NZST
Interesting ports on STI (192.168.1.100):
Not shown: 1234 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
631/tcp  open  ipp
637/tcp  open  lanserver
2049/tcp open  nfs


Uptime 0.100 days (since Sun Jul  1 20:30:58 2007)

Nmap finished: 1 IP address (1 host up) scanned in 9.947 seconds


[root@STI ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpts:6890:6900
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6890:6900
ACCEPT     udp  --  anywhere             anywhere            udp dpt:40260
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:40260
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Cheers

Gimmee (New Zealand)
 
Old 07-01-2007, 07:47 AM   #2
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 61
Most likely, the SSH service is not installed and running on the Ubuntu box.

I would suggest using Firestarter or Guarddog to configure IPtables. This way, you will get a good firewall, without needing to understand too much iptables.

The line in iptables -L that shows port 22 open:
Code:
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
Fedora 6 does have a basic firewall config utility, but I can't remember exactly where it is. I think it may be System - Admin - Security?

--Ian
 
Old 07-01-2007, 06:04 PM   #3
kakaka
Member
 
Registered: Sep 2003
Posts: 382

Rep: Reputation: 86
determining whether or not ssh is running

The command:

netstat -vepa

run from the command line as root, should tell you whether
or not ssh is running on the local machine. The output
for ssh could look like the following, ( looks like it
will wrap, but hopefully it will be helpful ) :

tcp 0 0 *:ssh *:* LISTEN root 8282 3291/sshd
 
Old 07-01-2007, 06:54 PM   #4
gimmee
Member
 
Registered: Jul 2006
Location: New Zealand
Distribution: Fedora 17 64bit (Desktop) Fedora 15 (Laptop)
Posts: 98

Original Poster
Rep: Reputation: 16
Hi all

In iptables on my FC6 desktop under:

Chain RH-Firewall-1-INPUT (2 references):

does fedora automatically put these in when i install and setup fedora?

Also under my iptable -L there is

RH-Firewall-1-INPUT all -- anywhere anywhere

What does it mean? Am i letting everything through and should I really remove it and only add my own rules like I have with aMSN and Azureus.

In general what is best to access and share files in a simple home network, sftp, ssh, nfs, samba. I just used sFTP because it popped up on Nautilus under Network and havent tried the other ways yet.

Thanks for your help on this. Getting a little clearer all the time

Thanks

Gimmee (I dont want anything thats just my nickname)
 
Old 07-02-2007, 01:11 AM   #5
grahamatlq
Member
 
Registered: Dec 2006
Posts: 37

Rep: Reputation: 17
I use shorewall (iptables & ip6tables).

Use Webmin to configure either iptables of shorewall

Web based client that you an use for system configuration.

Takes alot of the searching out of it.

All standard package supported by redhat.

# yum install shorewall webmin
$ firefox http://localhost:10000 (or it might be https://...)

log in as root and it's easy
 
Old 07-02-2007, 05:56 AM   #6
IBall
Senior Member
 
Registered: Nov 2003
Location: Perth, Western Australia
Distribution: Ubuntu, Debian, Various using VMWare
Posts: 2,088

Rep: Reputation: 61
For sharing files over your local network - it depends on what other computers you have. If you need to share files with Windows, use Samba. If it is purely Linux, use NFS. SFTP / SCP will also work with either (obviously you would need putty on Windows), however transfers will be slower due to the encryption.

--Ian
 
Old 07-02-2007, 06:41 AM   #7
gimmee
Member
 
Registered: Jul 2006
Location: New Zealand
Distribution: Fedora 17 64bit (Desktop) Fedora 15 (Laptop)
Posts: 98

Original Poster
Rep: Reputation: 16
Hi there

Thanks for those replies. I have dual boot windows/linux on desktop and laptop but the desktop never goes into windows and the laptop does for when i do pic programming but mainly is on linux 95%. I do have an ipaq that is wm5 but i dont know if i would access linux with it. Would probably setup samba as a learning exercise I think.

Will have a look at shorewall, i just read that as i have just printed out four articles and 400 pages on learning iptables.

I still show port22 closed on the ubuntu laptop even though i have opened it up in firestarter. I must be missing something but have a bit more understanding than a couple of days ago. The learning never stops does it.

On a side note and totally off the subject my daughter is estatic that she can input and convert japanese for her second language japanese classes. Tried kinput2 and canna but couldnt get it to work then setup scim-anthy FC6 and it works great for her. I cant believe something like that is free, must cost alot more for windows.

Thanks again for all the helpful replies.

Cheers

Gimmee (New Zealand)

Last edited by gimmee; 07-02-2007 at 06:42 AM.
 
Old 07-02-2007, 08:34 AM   #8
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
FYI, ssh/scp/sftp are all aspects of the openssh daemon which runs on port 22 by default.
See the file /etc/services which lists all the officially IANA known services.
See the file hdr for more info.
Note that although the services have assigned port nums,that doesn't mean they are running on your machine.
They may not be installed, or they may be turned off.
The firewall rules determine whether the ports can actually be used, regardless of the state of the service.
See http://www.netfilter.org/ for more than you want to know about IPTABLES for Linux.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Installed Xubuntu and FC6, but FC6 wont boot, is there a solution? mitchell7man Linux - General 3 05-01-2007 05:27 PM
installed fc6 on seperate partition, same hard drive with xp, fc6 wont boot frankandsense Linux - Newbie 6 02-22-2007 03:50 AM
How to install iptables for FC6? is there a yum install? mrjeffc Linux - Newbie 2 12-21-2006 11:13 PM
XEN. Problem with install guest FC6 (i386) on platform FC6 (x86_64) Alex_Saf Fedora 0 12-04-2006 01:15 AM
Comments request for "O'Reilly's Linux iptables Pocket Reference" carboncopy General 3 03-03-2005 10:24 PM


All times are GMT -5. The time now is 02:11 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration