telnet on local LAN question

Paul Allen Newell pnewell at cs.cmu.edu
Thu Aug 18 05:21:24 UTC 2011


partial answers to two replies ...

On 8/17/2011 6:07 AM, Rick Sewill wrote:
> May I suggest inserting an entry, at this spot, for mail, something like the
> following.
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
> The goal of the previous line is to jump to "ACCEPT" for any mail packet
> establishing a new connection.
>
> Instead of the above line, you might want to specify a source IP address range
> to limit which IP addresses can send mail to your machine.
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -s 192.168.2.0/24 -j
> ACCEPT
On 8/17/2011 12:49 PM, Roberto Ragusa wrote:
> I would have just duplicated the ssh rule, which works, for port 23.
>
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
>
First, there are other parts of your email that I need to reply to 
separately, I just wanted to group the two actions into a single email.

I tried what you suggested, ending up with iptables of:
+++
[...]
4    ACCEPT   tcp    --    0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:22
5    ACCEPT   tcp    --    0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:23
6    LOG    all    --    0.0.0.0/0    0.0.0.0/0    LOG flags 0 level 4
7    REJECT    all    --    0.0.0.0/0    0.0.0.0/0    reject-with 
icmp-host-prohibited
+++
and a second version of:
[...]
4    ACCEPT   tcp    --    0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:22
5    ACCEPT   tcp    --    192.168.2.0/24    0.0.0.0/0    state NEW tcp 
dpt:23
6    LOG    all    --    0.0.0.0/0    0.0.0.0/0    LOG flags 0 level 4
7    REJECT    all    --    0.0.0.0/0    0.0.0.0/0    reject-with 
icmp-host-prohibited
+++

I ran the tests again and observed that:

telnet <name> 23 returns with Connection refused
telnet <name> 25 returns with No route to host
telnet <name> returns with Connection refused

This confirms that the rules are doing something, just not what I want

Looking in the /var/log/messages of the machine I am trying to telnet 
to, I think I am seeing a change in which the following is printed out 
(the first is for either the telnet to 23 or the generic telnet and the 
second is the telnet to 25):
+++
Aug 17 21:24:07 chalupa kernel: [ 4661.818442] IN=eth0 OUT= 
MAC=ff:ff:ff:ff:ff:ff:00:1e:8c:c3:21:d6:08:00 SRC=192.168.2.100 
DST=192.168.2.255 LEN=234 TOS=0x00 PREC=0x00 TTL=128 ID=63637 PROTO=UDP 
SPT=138 DPT=138 LEN=214
Aug 17 21:25:14 chalupa kernel: [ 4728.256249] IN=eth0 OUT= 
MAC=00:e0:81:00:4c:b0:00:e0:81:00:62:94:08:00 SRC=192.168.2.11 
DST=192.168.2.10 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=53181 DF PROTO=TCP 
SPT=34288 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0
+++

What is puzzling is that I see the dport is no longer 23, its 138 and 
the PROTO is now UDP instead of TCP (???)

I also noticed that I began seeing one of the new messages showing up in 
the log of the machine sending the request (when I was trying to have 
iptable entries for them, all three tests would show up in destination 
machine log)

I tried dropping my firewall and all security on my Linksys WRT54GL 
(test machines are wired connections into it) and only the telnet 25 
shows up in logs ... all other messages are gone. The telnet requests 
didn't make it through with firewall/security down.

I don't even know what question to ask at this point. It feels like 
progress (and I can send a full dump of everything) and I certainly have 
a better understanding of iptables, but the dport/PROTO change is left 
field to me.

Thanks,
Paul

ps: other questions from all replies answered in another email ... I've 
got this testing down to a point where I am can restore to known state 
with confidence



More information about the users mailing list