I just installed RHL 8.0 on a crappy old box. I intend to use it as a gateway and webserver and didn't install X. It doesn't have much RAM anyway.
So, when I installed it, I selected the "medium" firewall setting, which apparently blocks all ports through 1023 and two more. That means ssh is blocked, so my task was to figure out how to allow ssh to this box WITHOUT USING A GUI TOOL. Should be simple enough, right? Just use iptables.
Here's the default iptables listing for the system:
Code:
Chain INPUT (policy ACCEPT)target prot opt source destinationRH-Lokkit-0-50-INPUT all -- anywhere anywhereChain FORWARD (policy ACCEPT)target prot opt source destinationChain OUTPUT (policy ACCEPT)target prot opt source destinationChain RH-Lokkit-0-50-INPUT (1 references)target prot opt source destinationACCEPT all -- anywhere anywhereREJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachableREJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachableREJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachableREJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachableREJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachableREJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
Well, let me just list some things that haven't worked.
1) Adding an 'ACCEPT' rule to the RH-LOKKIT table for tcp on port 22.
2) Flushing the INPUT table so it doesn't send packets through the firewall rules, or changing it to ACCEPT all from anywhere.
3) Changing sshd to listen at ports 2002 and 8002 -- which shouldn't even be covered by the firewall.
This is with the default install of sshd and firewall -- I haven't changed any sshd options other than the port. In all cases, I can ssh to the box from localhost, ssh out from the box to my other box (the DHCP server), but not ssh from my other box to this box (as either root or regular user) -- the connection is denied. In all cases, nmap shows a bunch of ports free locally on the box but shows no ports open from my dhcp server.
The only thing I can think of is that (a) iptables needs some command to actually activate the rule changes I make -- I'm assuming everything is effective immediately -- or ( something is wonky about iptables on my DHCP server -- I can't imagine what, though.
Any advice, please?