possible problem with scp/ssh/telnet

David G. Miller dave at davenjudy.org
Mon Aug 13 17:34:51 UTC 2012 

Paul Allen Newell <pnewell <at> cs.cmu.edu> writes:

> 
> [inline]
> 
> On 8/12/2012 4:12 PM, David G. Miller wrote:
> > Paul Allen Newell <pnewell <at> cs.cmu.edu> writes:
> > <SNIP>
> >
> 
> I checked ifconfig/ipconfig, plus verified the hosts file on both 
> machines. I also checked the tcp/ip settings on the Windows side. 
> Everything looks correct and certainly has not changed.
> 
You would be surprised at how many networking connectivity problems are simply
because of DNS errors.  Check the easy things first.

<SNIP>
> > is service (or port) 23.  Your log entries are to port 138 so, again, 
nothing to
> > do with ssh or telnet.
> 
> Okay, more confusion as I am not seeing any port 22.
<SNIP>

The rules in /etc/sysconfig/iptables are processed sequentially.  When a packet
matches a rule the rule is applied.  ACCEPT rules tell iptables to hand off the
packet to the corresponding service.

# more /etc/sysconfig/iptables
# Generated by iptables-save v1.4.12 on Sat Aug 11 23:29:10 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

The next line in your iptables file is your "ACCEPT" rule for connections to
port 22.  iptables stops processing the packet and hands it off to sshd at this
point.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 192.168.2.0/24 -p udp -m state --state NEW -m udp --
dport 631
-A INPUT -s 127.0.0.1/32 -d 192.168.2.0/24 -p tcp -m state --state NEW -m tcp --
dport 631

Here's your logging line.  Since packets coming in to port 22 have already been
handed off to sshd, this rule is never hit for them.

-A INPUT -j LOG --log-prefix "<IPTABLES: LOG REJECT> "
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Aug 11 23:29:10 2012
[root <at> yoyo ~]#
+++

I use logging rules like this a lot.  The only thing you need to be careful
about is putting a blanket logging rule too early in your iptables file.  You
can get swamped with too much data really easily.

Cheers,
Dave

More information about the users mailing list