Re: Disabling telnet on Linux iptables firewall

On Sat, 28 Oct 2006, in the Usenet newsgroup comp.os.linux.security, in article
<pan.2006.10.28.19.55.19.780733@xxxxxxxxx>, C. J. Clegg wrote:

On my Fedora Core 2 server,

Why are you using such an old release? FC2 was declared "unsupported"
at downloads.fedoralegacy.org in April, and there have been no updates
released since the end of March. FC6 was released this past week. Consider
updating to that.

I call up system-config-securitylevels (the GUI configuration tool for
iptables) and I tell it to disallow telnet.

That works ... no one can telnet in any longer. So far so good.

But, isn't that supposed to disable telnet'ing out, as well?

No - that's a mis-understanding on your part.

(In general it seems the iptables configuration GUI is MIGHTY limited in
the things that it can do, and yet the /etc/sysconfig/iptables file, that
gets generated by system-config-securitylevels, has tbis big caveat at the
top: "Firewall configuration written by system-config-securitylevel ...
Manual customization of this file is not recommended".)

This is normal for a GUI tool. You can easily do what the tool author
thought you might want to do, and typically have much difficulty doing
things the author didn't think you'd need, or didn't think of. This has
always been the case. As for editing the actual configuration file, the
precaution is because the tool doesn't know what your changes look like,
and may accidentally delete them when you run the tool.

I would like to be able to limit all outgoing traffic to http, ssh, and
email, nothing else.

Two choices - first is to get rid of the GUI, and write the firewall rules
yourself. There is a large amount of documentation available, starting
with the official HOWTOs, as well as Rusty Russell's "unofficial" howtos
available from http://www.iptables.org/documentation/HOWTO/. Depending
on your skill level, this may or may not be a viable option. Remember that
the 'telnet' client takes a port number as an optional parameter, and thus
can telnet _to_ any port number on the remote - whether or not there is a
server there (won't connect if there isn't, but that doesn't stop the
attempt).

The second choice is to either remove or disable the undesired clients.
Disabling them is likely the better choice - use the 'which' command to
find the binary, and then 'chmod 644' that:

[compton ~]$ which telnet
/usr/bin/telnet
[compton ~]$ su -c /bin/chmod 644 /usr/bin/telnet
Password:
[compton ~]$

In your list of allowed traffic, you don't mention 'ftp' but that is needed
to keep your system up to dates. Admittedly, this is going to be quite
difficult for FC2, but you should be aware of your responsibility.

Old guy
.

Relevant Pages

  • Re: Samba - network problem?
    ... FC2 which has other potential problems so before you go there you should ... telnet mailserver_host_name port ... to see if there are obvious connection errors from Windows to Linux. ...
    (comp.os.linux.misc)
  • Re: How to open a port?
    ... I've just tried it by telnetting to the port before and after disabling ... the GUi setting: ... Can you telnet there? ...
    (Ubuntu)
  • Enabling/Disabling Ports in Windows 2003 Server
    ... I would like to understand how the port enabling and disabling works ... in Windows 2003. ... The problem at hand is that an application does not respond to telnet ...
    (microsoft.public.windows.server.sbs)
  • Enabling/Disabling Ports in Windows 2003 Server
    ... I would like to understand how the port enabling and disabling works ... in Windows 2003. ... The problem at hand is that an application does not respond to telnet ...
    (microsoft.public.windows.server.sbs)
  • Re: Telnet port 25
    ... Subject: Telnet port 25 ... is the sole responsibility of the customer and depends on the customer's ... Configuring sendmail 8.11.0 for Anti-Relay ...
    (AIX-L)