|
RedHat 8.0 networking help (newbie)
Ok i was searching through the threads here and i am confused so sorry if this is a repeat, but I need to ask so here goes.
I am running Redhat 8.0 downstairs on my computer. I am using cable through a D-Link router. I am running a MUD on the computer downstairs, and I can access it through my network no problems... I can access the mud even outside my network no problems. It runs on port 4444. Now I can access my server using Telnet on my network, but run into the problem of accessing it outside my network. I basically want to use it so I can program my MUD, not just from home, but from my school too. This is where I am lost. I have messed with the firewall, no go. I messed with hosts.allow and all of that, no go. PLEASE if anyone could help, I have been nonstop reading on this. Thanks in advance, JayMan |
Are you trying to forward the port through the firewall? Also make sure you do the following.
echo 1 > /proc/sys/net/ipv4/ip_forward That enables forwarding support. Then it's just a matter of writing the prerouting, forward, and postrouting rules in iptables. Give us a little more info on what you are trying to do and we'll be able to help more. edit: Hey what's a MUD anyway? Just curious. |
OK I'll try my best to post what i need to.. I want to access my computer from outside my network. I have a MUD (Multi User Dungeon (word based game)) running on port 4444 and it works fine. When i try to access my server (port 23 using telnet) it will not let me use it outside my network. I can access my server on my other computer, just fine. I want to be able to access, where i have all my coding files stored, from school. I have my firewall on my router and my virtual server set up right for my MUD and it works, I just cant access my computer from outside the my house.
I believe its Apache server. I am a partial newbie when it comes to this. Sooooo tell me what ya need to know and where to find it and i can do my best to get it. Jay |
Firstly,
don't use Telnet! It sends logons and passwords in clear text. Anyone sniffing the network could read them, VERY easily, no joking! Use the ssh server that comes with RH8. service sshd start At least then your communications are secure. Use Putty for a client if you are starting from a Win pc. Also look at 'man sshd_config' for configuration data. The standard RH8 install is good tho'. The firewall rules should allow port 22 from anywhere, but if you can narrow down the ip's you use, add them to the rule too. Have a look at Firestarter to make doing the rules easier. A lot of members here use it happily :) |
OK thanks for the tip w/Telnet, I downloaded Firestarter and i like that ALOT. But I still cant access outside my network.. I went to add a rule to allow my schools host in the rules, and it said something to the affect of not being in the iptables... ???? (lost) also maybe i dont have apache set up right and tid bits on how to set that up right... Maybe i am using the wrong port to access ..
I am desperate on any ideas... knowing my stupid luck i am overlooking the obvious. Jay |
From the RH box, open a command terminal and type lsmod.
You should get a list like... root@peter ~# lsmod Module Size Used by Tainted: P es1371 30760 1 (autoclean) ac97_codec 13416 0 (autoclean) [es1371] gameport 3412 0 (autoclean) [es1371] soundcore 6532 4 (autoclean) [es1371] agpgart 43136 3 (autoclean) nvidia 1592160 10 (autoclean) parport_pc 19108 1 (autoclean) lp 8996 0 (autoclean) parport 37152 1 (autoclean) [parport_pc lp] autofs 13348 0 (autoclean) (unused) dmfe 17089 1 ne2k-pci 7296 0 (unused) 8390 8364 0 [ne2k-pci] iptable_filter 2412 0 (autoclean) (unused) ip_tables 15224 1 [iptable_filter] ide-scsi 10512 0 scsi_mod 107240 1 [ide-scsi] ide-cd 33608 0 cdrom 33696 0 [ide-cd] nls_iso8859-1 3516 1 (autoclean) nls_cp437 5148 1 (autoclean) vfat 13084 1 (autoclean) fat 38712 0 (autoclean) [vfat] ext3 70368 1 (autoclean) jbd 52244 1 (autoclean) [ext3] mousedev 5524 0 (unused) keybdev 2976 0 (unused) hid 22244 0 (unused) input 5920 0 [mousedev keybdev hid] usb-uhci 26188 0 (unused) usbcore 77024 1 [hid usb-uhci] root@peter ~# What's in your list? Tip... (Highlight it with the mouse and then paste it into the browser box with the middle mouse button.) |
Module Size Used by Not tainted
ipt_ttl 1144 1 (autoclean) ipt_unclean 7704 2 (autoclean) ipt_limit 1560 34 (autoclean) ipt_state 1048 5 (autoclean) iptable_mangle 2776 0 (unused) ipt_LOG 4184 1 ipt_MASQUERADE 2200 0 (unused) ipt_TOS 1656 0 (unused) ipt_REDIRECT 1368 0 (unused) iptable_nat 19960 0 [ipt_MASQUERADE ipt_REDIRECT] ip_conntrack_irc 3520 0 (unused) ip_conntrack_ftp 5088 0 (unused) ip_conntrack 21244 4 [ipt_state ipt_MASQUERADE ipt_REDIRECT iptable_nat ip_conntrack_irc ip_conntrack_ftp] sr_mod 18136 0 (autoclean) soundcore 6532 0 (autoclean) r128 93176 1 agpgart 43072 3 nfsd 79920 8 (autoclean) lockd 58064 1 (autoclean) [nfsd] sunrpc 79324 1 (autoclean) [nfsd lockd] tux 137592 2 autofs 13348 0 (autoclean) (unused) 3c59x 30640 1 ipt_REJECT 3736 0 (autoclean) iptable_filter 2412 1 (autoclean) ip_tables 14936 14 [ipt_ttl ipt_unclean ipt_limit ipt_state iptable_mangle ipt_LOG ipt_MASQUERADE ipt_TOS ipt_REDIRECT iptable_nat ipt_REJECT iptable_filter] ide-scsi 10512 0 scsi_mod 107176 2 [sr_mod ide-scsi] ide-cd 33608 0 cdrom 33696 0 [sr_mod ide-cd] mousedev 5524 1 keybdev 2976 0 (unused) hid 22244 0 (unused) input 5888 0 [mousedev keybdev hid] usb-uhci 26188 0 (unused) usbcore 77024 1 [hid usb-uhci] ext3 70368 2 jbd 52212 2 [ext3] |
OK,
you have iptables running ok... looks like an rc.firewall.stronger script too. type iptables-save > /etc/sysconfig/iptables.saved This will place a list of your rules into the file /etc/sysconfig/iptables.saved. Mask your external ip number with xxx.xxx.xxx.xxx and please post it... If my suspicions are correct, there will be some OUTPUT chain rules that need to be opened up... |
xx.xxx.xx.xx that what ya mean?
|
Yeah, nobody out here needs to know what your external number is... :)
|
ok that was it xx.xxx.xx.xx
|
:)
pls post the file /etc/sysconfig/iptables.saved... with yr external number masked out... pls. :) |
i hope this is what ya mean... pretty dang big .. if its not please could ya delete heheheh
# Generated by iptables-save v1.2.6a on Mon Mar 10 04:33:58 2003 *mangle :PREROUTING ACCEPT [7197:2167598] :INPUT ACCEPT [5717:1684822] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [6812:906477] :POSTROUTING ACCEPT [7378:951905] COMMIT # Completed on Mon Mar 10 04:33:58 2003 # Generated by iptables-save v1.2.6a on Mon Mar 10 04:33:58 2003 *nat :PREROUTING ACCEPT [1500:485384] :POSTROUTING ACCEPT [798:39318] :OUTPUT ACCEPT [798:39318] COMMIT # Completed on Mon Mar 10 04:33:58 2003 # Generated by iptables-save v1.2.6a on Mon Mar 10 04:33:58 2003 *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT DROP [0:0] :LD - [0:0] :SANITY - [0:0] :STATE - [0:0] :UNCLEAN - [0:0] -A INPUT -i eth0 -m unclean -j UNCLEAN -A INPUT -s 192.168.0.1 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A INPUT -s 192.168.0.1 -p udp -j ACCEPT -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 4444 -j ACCEPT -A INPUT -d 192.168.0.0/255.255.255.0 -p udp -m udp --dport 4444 -j ACCEPT -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 111 -j ACCEPT -A INPUT -d 192.168.0.0/255.255.255.0 -p udp -m udp --dport 111 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -d 192.168.0.0/255.255.255.0 -p icmp -m limit --limit 10/sec -j ACCEPT -A INPUT -s 1.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 2.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 5.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 7.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 23.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 27.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 31.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 36.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 37.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 39.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 41.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 42.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 58.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 59.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 60.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 69.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 70.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 71.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 72.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 73.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 74.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 75.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 76.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 77.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 78.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 79.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 82.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 83.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 84.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 85.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 86.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 87.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 88.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 89.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 90.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 91.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 92.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 93.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 94.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 95.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 96.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 97.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 98.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 99.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 100.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 101.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 102.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 103.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 104.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 105.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 106.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 107.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 108.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 109.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 110.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 111.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 112.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 113.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 114.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 115.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 116.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 117.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 118.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 119.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 120.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 121.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 122.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 123.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 124.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 125.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 126.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 128.66.0.0/255.255.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 172.16.0.0/255.240.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 197.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 221.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 222.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 223.0.0.0/255.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -s 240.0.0.0/240.0.0.0 -d 192.168.0.0/255.255.255.0 -i eth0 -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 31337 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p udp -m udp --dport 31337 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 33270 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p udp -m udp --dport 33270 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 1234 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 6711 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 16660 --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 60001 --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 12345:12346 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p udp -m udp --dport 12345:12346 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 135 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p udp -m udp --dport 135 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 1524 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 27665 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p udp -m udp --dport 27444 -m limit --limit 2/min -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p udp -m udp --dport 31335 -m limit --limit 2/min -j LD -A INPUT -s 224.0.0.0/255.0.0.0 -j LD -A INPUT -d 224.0.0.0/255.0.0.0 -j LD -A INPUT -s 255.255.255.255 -j LD -A INPUT -d 0.0.0.0 -j LD -A INPUT -m state --state INVALID -j LD -A INPUT -f -m limit --limit 10/min -j LD -A INPUT -i eth0 -p tcp -m tcp --dport 67:68 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 67:68 -j ACCEPT -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 23 -j ACCEPT -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LD -A INPUT -d 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 1024:65535 -j STATE -A INPUT -d 192.168.0.0/255.255.255.0 -p udp -m udp --dport 1023:65535 -j ACCEPT -A INPUT -j LD -A OUTPUT -o eth0 -m unclean -j UNCLEAN -A OUTPUT -o lo -j ACCEPT -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 31337 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 31337 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 33270 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 33270 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 1234 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 6711 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 16660 --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 60001 --tcp-flags SYN,RST,ACK SYN -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 12345:12346 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 12345:12346 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 135 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 135 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 1524 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p tcp -m tcp --dport 27665 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 27444 -m limit --limit 2/min -j LD -A OUTPUT -s 192.168.0.0/255.255.255.0 -p udp -m udp --dport 31335 -m limit --limit 2/min -j LD -A OUTPUT -s 224.0.0.0/255.0.0.0 -j LD -A OUTPUT -d 224.0.0.0/255.0.0.0 -j LD -A OUTPUT -s 255.255.255.255 -j LD -A OUTPUT -d 0.0.0.0 -j LD -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP -A OUTPUT -m ttl --ttl-eq 64 -A OUTPUT -s 192.168.0.0/255.255.255.0 -o eth0 -p icmp -j ACCEPT -A OUTPUT -j ACCEPT -A LD -j LOG -A LD -j DROP -A SANITY -j LD -A STATE -i ! lo -m state --state NEW -j LD -A STATE -m state --state RELATED,ESTABLISHED -j ACCEPT -A STATE -j LD -A UNCLEAN -j LD COMMIT # Completed on Mon Mar 10 04:33:58 2003 |
(I've written this 1st line so many times I finally decided to delete it...)
The problem is in the OUTPUT chain where any replies to your port 23 requests don't have any permission to go back out... The usual technique is to allow state ESTABLISHED,RELATED replies to go back out, but that doesn't happen here... quote... -A OUTPUT -d 0.0.0.0 -j LD -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP -A OUTPUT -m ttl --ttl-eq 64 -A OUTPUT -s 192.168.0.0/255.255.255.0 -o eth0 -p icmp -j ACCEPT -A OUTPUT -j ACCEPT The first line I've quoted drops everything, making following rules useless... The default policy is supposed to do this work... The 2nd line is a mistake, there is no -j to jump to... The last line is the opposite of the default DROP POLICY and shouldn't be there. So, I suggest you add this from a command line to get working... iptables -I OUTPUT 3 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT then have a read of this iptables tutorial and then a look at Firestarter to make writing rules easier. Personally, the sooner you lose that script you are using, the better... |
ok i added that line u said to do... that iptables chart i can look at when i have some more time... So with that added line will that fix the outgoing stuff on port 23? (sorry to seem stupid) but i just want to make sure i am doing this right..
1 more noob question... to configure the server part, could ya run it by me.. I just want to make sure my settings are correct... i have 4 options in xwindows domain name service http nfs services I want to make sure i have it all set up THanks SOOO much... i fixed a few other probs from this board I appreciate it Jay |
A couple of questions first...
By the look of the save time on the file, you are certainly working late.. It's 12:30am here so must be 5:30am your time... Is there a better time to suit you? 2nd. I couldn't see any evidence of a 2nd eth on the RH box, so I'm assuming it's a standalone server. You've mentioned that accessing local is ok, so the entire ruleset must be working ok if it is a standalone... Which begs the question, is the upstream router in need of some tweaking for port 23? Maybe you are actually telnetting to the router??? Lastly, if this is the case, get ssh running and port forward the router for port 22 to the RH box. |
yea its stand alone, and yea its 7 am heheeh (insomnia) this is my last post for tonight, gotta sleep sometime =) I dont know what ya mean by port fwding... I mean i get the idea that maybe what telnet is thinking is that I am trying to log in the router.. understandable...
So what steps would i have to make to Port fwd something... Ill be back on tomorrow (well today) in the afternoon 5 6ish eastern time Thanks again for trying to help me out. I really do appreciate it, Jay |
back on here
ready to resume position hehehe Jay |
Welcome back...
My turn to see how long I last... :) To recap, the first box the internet will see looking into your network, will be the router, yes? If MUD is working ok from outside, there must be a rule in the router to allow port 4444 to go to the RH box. To allow ssh, (coz I know you aren't going to use telnet, eh, ) another rule needs to be added to push port 22 to the RH sever too. |
port 22 why port 22.. I thought when access the shell it was default 23.. Please correct me if I am wrong, I just want to know for future sake.
I tried allowing access to port 22, and i still cant connect outside the network.. ( i am logging into my schools unix account and trying from there) still no luck... Any other advice? Jay |
Telnet uses port 23,
ssh uses port 22 Type 'netstat -tanp' on the RH box to see which servers are listening / connecting. |
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1046/sshd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1069/xinetd ok obvisouly they are not connected... where do i connect and how? Jay |
You can use a telnet client to connect to port 23
or an ssh client to connect to port 22. But you need to check the firewall/router first to make sure it's going to pass the ports down to the RH box. How did you get the port 4444 to pass ok? |
OK i have my router configured 192.xxx.x.xxx which is where my computer is at(server).. i just allowed this address with port 4444 in my firewall on the router, and it was fine. i allowed 23 and 22 on the same address, but they dont work.. so internal is the problem.. I downloaded firestarter and i am using that... I also have GNOME-lokkit on there also..
I am completely stumped why this doesnt wanna work.. |
Uh oh...
So the router is connected to the MUD server? If so, how is it connected? Directly or through a hub etc? |
OK maybe i am confused, on how this is working... so let me start from scratch to understand this
OK i have a 4 hub router with my 2 computers and my PS2. 1 computer has wiindows xp then other has linux Redhat 8.0 then my ps2 is on the 3rd line from the router.. My virtual server is set at the ip my 2nd computer is on.. to allow port 4444 to go through... It works No i used another virtual server to allow 22 and 23 to go to the same computer... Is this right?? Jay |
BINGO! :D
Once we can be sure the connection gets through the router to the RH box, we adjust the RH rules to make it hum... |
ok thats a step in the right direction... So the router isnt blocking anything .. thats good. Ok to set up some RH rules, which rules and what firewalls to configure.. or even making sure the server is set up right.. is the next step i take it?
|
Ok,
there are a lot of -j LD rules in the printout which are dumping messages, hopefully, into /var/log/messages. In a terminal on the RH box, do tail -f /var/log/messages to view them as they arrive, and try to connect locally with telnet. Should be successful. Make a note of any messages, then try to telnet from outside and see if the messages are different. Make a copy if they are different and telnet doesn't connect, and post them. Also try as a regular user rather than root initially. If the rules are blocking, they must be tracked to a specific rule then modified to work. :) |
ok i did that and it just kept repeating the same thing over and over...
Mar 10 18:41:19 jaymud last message repeated 2 times Mar 10 18:41:21 jaymud kernel: IN= OUT=eth0 SRC=192.168.0.102 DST=xxx.x.x.x LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2Mar 10 18:41:19 jaymud last message repeated 2 times Mar 10 18:41:19 jaymud last message repeated 2 times Mar 10 18:41:21 jaymud kernel: Device not ready. Make sure there is a disk in the drive. ??????? just keeps repeating that |
OK,
that was from the OUTPUT chain, 'OUT=eth0' I'm going to ask you to clear all the OUTPUT rules and change the OUTPUT policy to ACCEPT. It's a safe thing to do, coz If you can't trust what your box is sending out, there are bigger problems to deal with... Do you know how to start the firewall script again later? if so, pls do iptables -P OUTPUT ACCEPT iptables -F OUTPUT and try to telnet in from remote, watching /var/log/messages. |
OK when i log in locally it says
login(pam_unix) [2061] session opened for xxxxxx and shows me log out also... but i tried connecting from outside, and it showed nothing .. and no connection was established Jay |
Ok, add these rules to improve the logging..
iptables -t nat -A PREROUTING -p tcp --dport 22:23 -j LOG --log-prefix "nat_in " iptables -I INPUT -p tcp --dport 22:23 -j LOG --log-prefix "INPUT_in " |
Ok i added those and still cant connect.. I was messing with Firestarter and opened up 23 and it still doesnt work...
I am frustrated beyond belief.. maybe my server is not set up right... wanna try that? Jay (runnin outta ideas) |
You must be able to see the packets in the /var/log/messages file before doing any more on the RH box.
The PREROUTING log entry will catch the packet as it first arrives in the box, proving that they are arriving ok. If there's nothing in the logs, we have to go back to the router... An even look at the possibility that your ISP is blocking some of the common server ports. You can use ANY port number to connect from the outside, make the router pass it ok and just redirect it to 23 once it gets to your box ok. You are telnetting from an outside location, so check that it can connect ok to another site... (just to prove beyond doubt) |
OK so lets say i try to set it at port 5555 from my router... how would i have my rh box recognize port 5555 and throw it to port 23...
Jay |
SUCCESSS!!!!!!!!!!
Thanks YOU SO MUCH>> Ended up being my router blocking that port out... I cant thank you enough for helping me out.. only to run into another stupid problem... [root@server bin]# redhat-config-users /usr/share/redhat-config-users/redhat-config-users: line 4: 1945 Segmentation fault /usr/bin/python2.2 /usr/share/redhat-config-users/redhat-config-users.py I get that error when i try to add a users... I click on the add user button, nothing happened.. so i typed it in terminal.. and i get that error message.. Any clue?? Jay |
| All times are GMT -5. The time now is 03:35 AM. |