FC6 need comments on my iptables please.

gimmee · 07-01-2007, 06:27 AM

Hi all

Can someone help me understand my iptables. I am trying to understand how my port 22 is open yet I dont see it being opened or blocked in iptables. Still getting a handle on this iptables stuff. I put in the rules for azureus (40260) and amsn (6890). Apart from that I dont think I have done anything for iptables.

The reason I ask is I can sftp into my FC6 desktop from my laptop which is running Ubuntu and using Nautilus. Just doing little steps on this networking and sharing part so havent used nfs, openssh or samba yet. Sftp works well at moment to get access to desktop. When I try and sftp to the ubuntu laptop I get denied because the port 22 is not open. So why is it blocked on Ubuntu when it doesnt show up in iptables yet in my FC6 the port is open even though I dont think I have allowed it to be open.

Hope I havent been too confusing.

I have done a listing of my ports and iptables on my FC6 Desktop/

Code:

[root@STI ~]#  nmap -sS -F -O 192.168.1.100

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-07-01 22:54 NZST
Interesting ports on STI (192.168.1.100):
Not shown: 1234 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
111/tcp  open  rpcbind
631/tcp  open  ipp
637/tcp  open  lanserver
2049/tcp open  nfs


Uptime 0.100 days (since Sun Jul  1 20:30:58 2007)

Nmap finished: 1 IP address (1 host up) scanned in 9.947 seconds


[root@STI ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpts:6890:6900
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6890:6900
ACCEPT     udp  --  anywhere             anywhere            udp dpt:40260
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:40260
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:nfs
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Cheers

Gimmee (New Zealand)

IBall · 07-01-2007, 06:47 AM

Most likely, the SSH service is not installed and running on the Ubuntu box.

I would suggest using Firestarter or Guarddog to configure IPtables. This way, you will get a good firewall, without needing to understand too much iptables.

The line in iptables -L that shows port 22 open:

Code:

ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh

Fedora 6 does have a basic firewall config utility, but I can't remember exactly where it is. I think it may be System - Admin - Security?

--Ian

rigor · 07-01-2007, 05:04 PM

The command:

netstat -vepa

run from the command line as root, should tell you whether
or not ssh is running on the local machine. The output
for ssh could look like the following, ( looks like it
will wrap, but hopefully it will be helpful ) :

tcp 0 0 *:ssh *:* LISTEN root 8282 3291/sshd

gimmee · 07-01-2007, 05:54 PM

Hi all

In iptables on my FC6 desktop under:

Chain RH-Firewall-1-INPUT (2 references):

does fedora automatically put these in when i install and setup fedora?

Also under my iptable -L there is

RH-Firewall-1-INPUT all -- anywhere anywhere

What does it mean? Am i letting everything through and should I really remove it and only add my own rules like I have with aMSN and Azureus.

In general what is best to access and share files in a simple home network, sftp, ssh, nfs, samba. I just used sFTP because it popped up on Nautilus under Network and havent tried the other ways yet.

Thanks for your help on this. Getting a little clearer all the time

Thanks

Gimmee (I dont want anything thats just my nickname)

grahamatlq · 07-02-2007, 12:11 AM

I use shorewall (iptables & ip6tables).

Use Webmin to configure either iptables of shorewall

Web based client that you an use for system configuration.

Takes alot of the searching out of it.

All standard package supported by redhat.

# yum install shorewall webmin
$ firefox http://localhost:10000 (or it might be https://...)

log in as root and it's easy

IBall · 07-02-2007, 04:56 AM

For sharing files over your local network - it depends on what other computers you have. If you need to share files with Windows, use Samba. If it is purely Linux, use NFS. SFTP / SCP will also work with either (obviously you would need putty on Windows), however transfers will be slower due to the encryption.

--Ian

gimmee · 07-02-2007, 05:41 AM

Hi there

Thanks for those replies. I have dual boot windows/linux on desktop and laptop but the desktop never goes into windows and the laptop does for when i do pic programming but mainly is on linux 95%. I do have an ipaq that is wm5 but i dont know if i would access linux with it. Would probably setup samba as a learning exercise I think.

Will have a look at shorewall, i just read that as i have just printed out four articles and 400 pages on learning iptables.

I still show port22 closed on the ubuntu laptop even though i have opened it up in firestarter. I must be missing something but have a bit more understanding than a couple of days ago. The learning never stops does it.

On a side note and totally off the subject my daughter is estatic that she can input and convert japanese for her second language japanese classes. Tried kinput2 and canna but couldnt get it to work then setup scim-anthy FC6 and it works great for her. I cant believe something like that is free, must cost alot more for windows.

Thanks again for all the helpful replies.

Cheers

Gimmee (New Zealand)

chrism01 · 07-02-2007, 07:34 AM

FYI, ssh/scp/sftp are all aspects of the openssh daemon which runs on port 22 by default.
See the file /etc/services which lists all the officially IANA known services.
See the file hdr for more info.
Note that although the services have assigned port nums,that doesn't mean they are running on your machine.
They may not be installed, or they may be turned off.
The firewall rules determine whether the ports can actually be used, regardless of the state of the service.
See http://www.netfilter.org/ for more than you want to know about IPTABLES for Linux.