telnet on local LAN question

[Roberto Ragusa]

On 08/17/2011 08:25 AM, Paul Allen Newell wrote:

> I have been trying what I think is the correct edit in all permuations I 
> can think of ... as in:
> +++
> iptables -I INPUT <where every the log entry is> -{s,d} 
> 192.168.2.{10,11} -p tcp -{destination,source}-port telnet -j ACCEPT
> +++

I would have just duplicated the ssh rule, which works, for port 23.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT

> I am not having success and the messages in the log are showing me that 
> I am making a mess. One of the interesting things is I am now getting 
> "connection refused" rather than "no route to host" and I need to see 
> what change I made caused that (which is also interesting as I would 
> have expected "connection refused" if the resolution was "REJECT"?)

This could depend on the "--reject-with icmp-host-prohibited" part.
Other kind of --reject-with could give "connection refused".

> If I know what 192.168.2.x machines I want to be able to telnet to and I 
> modify all machines to have the necessary in iptables to allow a telnet 
> to/from, what am I missing?
> 
> Thanks in advance (this iptables stuff is a bit daunting ...),

The firewall is probably quite ok now.

More investigation can be done with "tcpdump -i eth0 -n -n" on the
destination machine (do not do this remotely as it will generate
traffic and confuse you). Take note of what kind of reply the SYN
packet gets.

An additional thing to check is if you are listening on port 23 (or 25).
Try "netstat -tnlp" and search ":23" (or ":25"). You will find the
name of the process listening. Check if it is listening on 0:0:0.0 or
just on 127.0.0.1. The 127.0.0.1 would be wrong, and should be fixed
in the configuration of the mail program.

-- 
   Roberto Ragusa    mail at robertoragusa.it