Hi all.. I know just enough about linux to think I know what I'm doing
Suggestions/Help please.

I have a home network that I want to allow telnet access only interally to my network. I want to block all telnet/ftp from outside (which is working). I have iptables configured to only allow SSH incoming. I am trying to allow telnet from inside my network to my server, but not in. No matter what I have tried, i get connection refused.

my internal network is 172.18.122.0/24

I am not running xinetd that I can tell.
chkconfig --list telnet = On
chkconfig --list xinet or xinetd gives me error like its not installed, but I shouldnt need it should I ?

Shouldn't I just be able to modify my iptables to allow incoming ?


ifconfig
--------
eth0 Link encap:Ethernet
inet6 addr: fe80::2e0:4cff:feea:7d03/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:471956 errors:0 dropped:0 overruns:0 frame:0
TX packets:374068 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:438577353 (418.2 MiB) TX bytes:55813109 (53.2 MiB)
Interrupt:10 Base address:0x6000

eth1 Link encap:Ethernet
inet addr:172.18.122.2 Bcast:172.18.122.255 Mask:255.255.255.0
inet6 addr: fe80::260:8ff:fe53:8e34/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:470014 errors:0 dropped:0 overruns:0 frame:0
TX packets:571881 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:79881915 (76.1 MiB) TX bytes:497697508 (474.6 MiB)
Interrupt:10 Base address:0xb000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1682 errors:0 dropped:0 overruns:0 frame:0
TX packets:1682 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1737602 (1.6 MiB) TX bytes:1737602 (1.6 MiB)


iptables -L
------------

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 172.18.122.0/24 anywhere state NEW tcp dpt:telnet
ACCEPT tcp -- xxx.xx.xx.xxx anywhere state NEW tcp dpt:ssh
LOG tcp -- anywhere anywhere state NEW tcp dpt:telnet LOG level warning
REJECT tcp -- anywhere anywhere state NEW tcp dpt:telnet reject-with icmp-port-unreachable
LOG tcp -- anywhere anywhere state NEW tcp dpt:ssh LOG level warning
REJECT tcp -- anywhere anywhere state NEW tcp dpt:ssh reject-with icmp-port-unreachable
LOG tcp -- anywhere anywhere state NEW tcp dpt:ftp LOG level warning
REJECT tcp -- anywhere anywhere state NEW tcp dpt:ftp reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


My kernel is Fedora Kernel 2.6.15-1.1831_FC4-i686


Any help would be appreciated!

Greg

are you sure the telnet daemon is running??

do 'ps -ef|grep -i telnetd'.

if it is then try and telnet from the machine to itself and see what happens....

Telnet daemon is not running..

but I can type telnet...

telnet> open 172.18.122.2
Trying 172.18.122.2...
telnet: connect to address 172.18.122.2: Connection refused
telnet: Unable to connect to remote host: Connection refused
telnet>

You need the telnet daemon to be running on any machine you wish to be able to connect to.
The daemon is what actually accepts the telnet connection.

actually i was talking bollocks. inetd should start telent if it recieves a connection request on port 23.

however, only if it's enabled in /etc/inetd.conf

i have a krb5-telnet in /etc/xinetd/, which is disable=yes, but i created a telnet in that directory that has:

service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
server = /usr/sbin/in.telnetd
only_from = 172.18.122.0/24
log_on_failure += USERID
no_access = 10.0.1.0/24
log_on_success += PID HOST EXIT
}


Should I be using the krb5-telnet instead ?

Thx for the replies...

i've tried enabling the krb5-telnet, still doesn't work.

I know, when I first configured this server, I was able to telnet in from work. Then I blocked it with iptables rules, so I know it worked before.

Its GOT to be something simple, that I'm overlooking...

The reason I want to be able to telnet interally, is I have a remote computer that I need to be able to use reflections x to telnet into, and start an xserver app..

shouldnt you be using ssh for this, if you've got reflections X???

i cannot ssh with wrq reflection. evidently don't have that part of the software.

Regardless, i am almost 100% sure its something to do w/my firewall, as I stated above, it used to work until I started blocking telnet from the outside world.