Re: possible problem with scp/ssh/telnet

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Paul Allen Newell <pnewell <at> cs.cmu.edu> writes:

> 
> [inline]
> 
> On 8/12/2012 4:12 PM, David G. Miller wrote:
> > Paul Allen Newell <pnewell <at> cs.cmu.edu> writes:
> > <SNIP>
> >
> 
> I checked ifconfig/ipconfig, plus verified the hosts file on both 
> machines. I also checked the tcp/ip settings on the Windows side. 
> Everything looks correct and certainly has not changed.
> 
You would be surprised at how many networking connectivity problems are simply
because of DNS errors.  Check the easy things first.

<SNIP>
> > is service (or port) 23.  Your log entries are to port 138 so, again, 
nothing to
> > do with ssh or telnet.
> 
> Okay, more confusion as I am not seeing any port 22.
<SNIP>

The rules in /etc/sysconfig/iptables are processed sequentially.  When a packet
matches a rule the rule is applied.  ACCEPT rules tell iptables to hand off the
packet to the corresponding service.

# more /etc/sysconfig/iptables
# Generated by iptables-save v1.4.12 on Sat Aug 11 23:29:10 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT

The next line in your iptables file is your "ACCEPT" rule for connections to
port 22.  iptables stops processing the packet and hands it off to sshd at this
point.

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -d 192.168.2.0/24 -p udp -m state --state NEW -m udp --
dport 631
-A INPUT -s 127.0.0.1/32 -d 192.168.2.0/24 -p tcp -m state --state NEW -m tcp --
dport 631

Here's your logging line.  Since packets coming in to port 22 have already been
handed off to sshd, this rule is never hit for them.

-A INPUT -j LOG --log-prefix "<IPTABLES: LOG REJECT> "
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Aug 11 23:29:10 2012
[root <at> yoyo ~]#
+++

I use logging rules like this a lot.  The only thing you need to be careful
about is putting a blanket logging rule too early in your iptables file.  You
can get swamped with too much data really easily.

Cheers,
Dave


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux