In following up on the rsh "problem" I was having earlier, I decided to try out the suggestion Felipe sent about using system-config-securitylevel-tui to open up ports 513 and 514, but that doesn't seem to do the job, either. # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:login ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:shell ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Shouldn't this work given the login and shell lines above? Or do they need to come before the ESTABLISHED line, too? Thanks. mhr
Quoting MHR <mhullrich at gmail.com>:> In following up on the rsh "problem" I was having earlier, I decided > to try out the suggestion Felipe sent about using > system-config-securitylevel-tui to open up ports 513 and 514, but that > doesn't seem to do the job, either.I could be remembering this wrong, but I believe these are udp, not tcp. Barry
On Thu, Jul 10, 2008 at 6:08 PM, MHR <mhullrich at gmail.com> wrote:> ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:login > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:shellIt seems right to me... Try using "iptables -vL", it will show you how many packets have matched that rule. Then try to rsh or rlogin and see if the numbers change. That should give you a clue to whether it's working or not. HTH, Filipe P.S.: Once again: although it's great that you are digging into the problem, using iptables, and learning a lot on the process, you should *REALLY* consider ditching rsh/rlogin and sticking to SSH. I would consider using rsh/rlogin instead of SSH today about the same as using gopher instead of the WWW these days (for those of you who still remember it).
On Thursday 10 July 2008 18:08, MHR wrote:> In following up on the rsh "problem" I was having earlier, I decided > to try out the suggestion Felipe sent about using > system-config-securitylevel-tui to open up ports 513 and 514, but that > doesn't seem to do the job, either. > > # iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere[snip] I hate reading the firewall like this. Could you post /etc/sysconfig/iptables? -- Regards Robert Smile... it increases your face value! Linux User #296285 http://counter.li.org