telnet disconnects/firewall help?

DJ dgj-dave at pacbell.net
Wed Mar 1 17:10:19 PST 2000 

This is probably a simple problem, but being a newbie to ipchains i
would to again ask for the help of a kind soul. :)
for a while now i have had my telnet service disabled for security
purposes, since then I have implimented SAMBA, APACHE and a donated
RC.FIREWALL script..
the problem came when i went back into INETD.CONF to enable the telnet
service and nothing happened.
I can get a successful telnet connection with my server..
whenever i run 'telnet 63.199.5.221' from any outside client I get '
connection to host lost', Would this be related to the firewall
filtering of telnet? is telnet on port:23?
like i said i dont fully understand ipchains, but when i do would I need
to allow all incoming tcp packets on port 23?
attached is my rc.firewall for reference.. thanks in advance for any
help you could offer.
david johnson
******************************************begin rc.firewall
#!/bin/bash
/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_irc
/sbin/ipchains -M -S 7200 10 160

# BEGIN FIREWALL SETUP
echo "1" > /proc/sys/net/ipv4/ip_forward

echo -n "Starting Spoof Protection..."
# Setup Spoofing Protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
   for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo 1 > $f
   done
else
   echo "PROBLEMS SETTING UP SPOOFING PROTECTION, BE WORRIED!"
   echo "CONTROL-D will exit this shell and continue startup."
   echo
# Start single user shell on console
   /sbin/sulogin $CONSOLE
fi
echo "done."

### Start of ip filter rules....

echo -n "Setting IP filter rules..."
#First set default rule, deny EVERYTHING except localnet interface

ipchains -P input DENY
ipchains -A input -i lo -s 127.0.0.0/24 -j ACCEPT

# Deny SYN packets on external (DSL) interface
# I had to disable this because it wouldnt let me retrieve ftp dirs??
# ipchains -A input -i eth0 -p tcp -y -l -j DENY


# Set Filtering Rules for eth1 interface (internal net)
# Create a new chain for eth1 interface
ipchains -N eth1-in
ipchains -A input -i eth1 -j eth1-in

# Set filtering rules for eth1
ipchains -A eth1-in -b -s 192.168.0.0/24 -j ACCEPT
ipchains -A eth1-in -s 127.0.0.0/24 -l -j DENY


# Set Filtering Rules for eth0 interface (external DSL net)
# Create a new chain for eth0 interface
ipchains -N eth0-in
ipchains -A input -i eth0 -j eth0-in

# Set filtering rules for eth0
ipchains -A eth0-in -s 0/0 -j ACCEPT
ipchains -A eth0-in -s 127.0.0.0/24 -l -j DENY

### Uncomment to allow inbound sendmail connections
ipchains -A eth0-in -p tcp -s 0/0 25 -y -j ACCEPT

### Uncomment to allow inbound www connections
ipchains -A eth0-in -p tcp -s 0/0 80 -y -j ACCEPT

### Uncomment to allow inbound ftp connections
### enable telnet first then ftp on 21..
#ipchains -A eth0-in -p tcp -s 0/0 23 -y -j ACCEPT
#ipchains -A eth0-in -p tcp -s 0/0 21 -y -j ACCEPT

### This is old and not needed for most systems but it's good protection
for some....
# Deny "Ping-of-death" packets
ipchains -A input -p icmp -f -l -j DENY

### And lastly, forward internal packets to external interface and
Masqerade!
# Set ip forwading for local network to internet
ipchains -A forward -p udp -s 192.168.0.0/24 -j MASQ
ipchains -A forward -p tcp -s 192.168.0.0/24 -j MASQ
ipchains -A forward -p icmp -s 192.168.0.0/24 -j MASQ

echo "done."

More information about the talk mailing list