Re: Disabling telnet on Linux iptables firewall

C. J. Clegg wrote:


On my Fedora Core 2 server, I call up system-config-securitylevels (the
GUI configuration tool for iptables) and I tell it to disallow telnet.

That works ... no one can telnet in any longer. So far so good.

But, isn't that supposed to disable telnet'ing out, as well?

That doesn't seem to be working.

(In general it seems the iptables configuration GUI is MIGHTY limited in
the things that it can do, and yet the /etc/sysconfig/iptables file,
that gets generated by system-config-securitylevels, has tbis big caveat
at the top: "Firewall configuration written by
system-config-securitylevel ... Manual customization of this file is not
recommended".)

I would like to be able to limit all outgoing traffic to http, ssh, and
email, nothing else.

chkconfig gives the option to determine what gets started when your system
starts. If you are trying to stop telnet into your machine, you should
use this to prevent telnet from listening (starting), in addition to the
firewall.

To prevent outgoing telnet, disable (rename or remove) telnet on all your
machines. That's a start, but doesn't prevent users or processes from
installing or starting their own telnet clients. You can allow or deny
service (incoming or outgoing) to or from any port with iptables (more
below), but it is much more difficult if even possible to allow or deny
any particular protocol (http, ssh, pop3, imap, etc.).

Work out the iptables rules you think you need to allow or block whatever
traffic to or from whatever ports you are interested in, and put them into
a separate shell script with an

"iptables -I ..."

command in the script, which places these rules at the start of the
rulesets in memory. Run this script manually at startup, or automatically
after everything else has started, possibly from /etc/rc.d/rc.local.

I do not believe there is any particular or easy specific way to allow or
deny any particular protocol, in or out, using iptables alone. The rules
have many options, but it has no way to examine or evaluate protocols used.
.

Relevant Pages

  • Re: Shorewall glitch
    ... Telnet was on again. ... > and again iptables -nL is your friend. ... ACCEPT fw loc udp 137:139 ... I then did a "service shorewall restart". ...
    (comp.os.linux.security)
  • Re: Telnet is not working with iptables
    ... You are appending to the existing rules. ... above your rule that is causing denial of the the specific port. ... rule list with iptables -nL command. ... Whenever i tried to telnet it generates the following error ...
    (RedHat)
  • Re: Telnet is not working with iptables
    ... I enabled SSH port by using ... Telnet is not working with iptables ...
    (RedHat)
  • Re: Simplest Firewall (was: Question. on iptables concept)
    ... I figured the next step was to configure the firewall to let ftp and telnet ... However I do not seem to be able to get telnet working via the OUTPUT ... > iptables -P OUTPUT DROP ... understand it and start adding and experimenting with it. ...
    (comp.os.linux.security)
  • Re: inetd to take telnet request
    ... flavours of TELNET here - so I read on. ... I know about INETD only from long ago with the RS/6000 UNIX, ... server applications" in the CS IP Configuration Guide: ...
    (bit.listserv.ibm-main)