telnet on local LAN question

Andre Speelmans fedora-list at cosiso.nl
Thu Aug 18 05:33:13 UTC 2011 

On Thu, Aug 18, 2011 at 7:21 AM, Paul Allen Newell <pnewell at cs.cmu.edu> wrote:
> partial answers to two replies ...
>
> On 8/17/2011 6:07 AM, Rick Sewill wrote:
>> May I suggest inserting an entry, at this spot, for mail, something like the
>> following.
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
>> The goal of the previous line is to jump to "ACCEPT" for any mail packet
>> establishing a new connection.

That rule would have worked.

> On 8/17/2011 12:49 PM, Roberto Ragusa wrote:
>> I would have just duplicated the ssh rule, which works, for port 23.
>>
>> -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT

This rule will not work. The difference being the port. 23 is for
telnet (the protocol, not the command). You need the rule with 25,
which would be for SMTP and the port the mailserver is probably
listening on.

> I tried what you suggested, ending up with iptables of:
> +++
> [...]
> 4    ACCEPT   tcp    --    0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:22
> 5    ACCEPT   tcp    --    0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:23
> 6    LOG    all    --    0.0.0.0/0    0.0.0.0/0    LOG flags 0 level 4
> 7    REJECT    all    --    0.0.0.0/0    0.0.0.0/0    reject-with
> icmp-host-prohibited
> +++
> and a second version of:
> [...]
> 4    ACCEPT   tcp    --    0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:22
> 5    ACCEPT   tcp    --    192.168.2.0/24    0.0.0.0/0    state NEW tcp
> dpt:23
> 6    LOG    all    --    0.0.0.0/0    0.0.0.0/0    LOG flags 0 level 4
> 7    REJECT    all    --    0.0.0.0/0    0.0.0.0/0    reject-with
> icmp-host-prohibited
> +++
>
> I ran the tests again and observed that:
>
> telnet <name> 23 returns with Connection refused

That is correct, because the firewall is open, but there is no
telnet-daemon running.

> telnet <name> 25 returns with No route to host

No route to host??

> telnet <name> returns with Connection refused

This is in fact the same as the first command, as telnet defaults to
use the port 23.

> Looking in the /var/log/messages of the machine I am trying to telnet
> to, I think I am seeing a change in which the following is printed out
> (the first is for either the telnet to 23 or the generic telnet and the
> second is the telnet to 25):
> +++
> Aug 17 21:24:07 chalupa kernel: [ 4661.818442] IN=eth0 OUT=
> MAC=ff:ff:ff:ff:ff:ff:00:1e:8c:c3:21:d6:08:00 SRC=192.168.2.100
> DST=192.168.2.255 LEN=234 TOS=0x00 PREC=0x00 TTL=128 ID=63637 PROTO=UDP
> SPT=138 DPT=138 LEN=214

This is the machine sending out a broadcast for some samba service?

> Aug 17 21:25:14 chalupa kernel: [ 4728.256249] IN=eth0 OUT=
> MAC=00:e0:81:00:4c:b0:00:e0:81:00:62:94:08:00 SRC=192.168.2.11
> DST=192.168.2.10 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=53181 DF PROTO=TCP
> SPT=34288 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0

This is the remote being denied access to port 25, as you had not
added port 25, but port 23.

> I tried dropping my firewall and all security on my Linksys WRT54GL
> (test machines are wired connections into it) and only the telnet 25
> shows up in logs ... all other messages are gone. The telnet requests
> didn't make it through with firewall/security down.

How did you drop your firewall on the server? if you would have turned
it off, it would not have logged the port 25 connection...

Two things:
First, try without any firewall (service iptables stop), or enter a
first line like: iptables -I INPUT -j ACCEPT, just so we can isolate
the problem.

If that fails, look what actually gets send on the server (tcpdump -i
eth0 -nnl port 25).

-- 
Regards,

Andre

More information about the users mailing list