Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Redhat 7.1 firewall 2
- Thread starter axman505
- Start date
-
1
- #3
Hi,
Its probably xinetd actually. Swat is one of those ip services launched on demand by xinetd. The config file /etc/xinetd.d/swat is installed when you install the samba rpm but the service is disabled by default. (This also applies to telnet-server, wu-ftpd, etc.)
So, edit /etc/xinetd.d/swat and change 'disable=yes' to 'disable=no'. Then restart xinetd with '/etc/rc.d/init.d/xinetd restart' or '/sbin/service xinetd restart'.
Then connect with browser as and it should work.
Rgds.
Its probably xinetd actually. Swat is one of those ip services launched on demand by xinetd. The config file /etc/xinetd.d/swat is installed when you install the samba rpm but the service is disabled by default. (This also applies to telnet-server, wu-ftpd, etc.)
So, edit /etc/xinetd.d/swat and change 'disable=yes' to 'disable=no'. Then restart xinetd with '/etc/rc.d/init.d/xinetd restart' or '/sbin/service xinetd restart'.
Then connect with browser as and it should work.
Rgds.
- Thread starter
- #4
- Thread starter
- #5
Hi,
OK.. If you are using the redhat firewall its still ipchains based even for version 7.1 . So you'd add some ipchains commands to your firewall script like these ...
ipchains -A input -p tcp -d any/0 901 -j ACCEPT
ipchains -A output -p tcp ! -y -s any/0 901 -d any/0 1024:65535 -j ACCEPT
This assumes that swat is running on the same box as the firewall.
Regards..
OK.. If you are using the redhat firewall its still ipchains based even for version 7.1 . So you'd add some ipchains commands to your firewall script like these ...
ipchains -A input -p tcp -d any/0 901 -j ACCEPT
ipchains -A output -p tcp ! -y -s any/0 901 -d any/0 1024:65535 -j ACCEPT
This assumes that swat is running on the same box as the firewall.
Regards..
- Thread starter
- #7
- Thread starter
- #8
- Thread starter
- #9
Hi,
I assumed that the connection to port 901 was from an unprivileged client port. Maybe that's not the case. Try again with exactly the same commands but completely remove the '1024:65535'. I.e. :
ipchains -A input -p tcp -d any/0 901 -j ACCEPT
ipchains -A output -p tcp ! -y -s any/0 901 -d any/0 -j ACCEPT
Also, where are you trying to use swat from, where is the firewall, and where would the swat server be running ? Is this 3 different machines, 2 , or just one with everything ?
Rgds
I assumed that the connection to port 901 was from an unprivileged client port. Maybe that's not the case. Try again with exactly the same commands but completely remove the '1024:65535'. I.e. :
ipchains -A input -p tcp -d any/0 901 -j ACCEPT
ipchains -A output -p tcp ! -y -s any/0 901 -d any/0 -j ACCEPT
Also, where are you trying to use swat from, where is the firewall, and where would the swat server be running ? Is this 3 different machines, 2 , or just one with everything ?
Rgds
-
1
- #11
- Thread starter
- #12
The only from line is not in the swat config file, that is one of the first things i tried.
I have a home network running and the linux box the dmz host of the router, and i need me computer to be able to load swat within the lan.
I tried entereing that stuff with the 1024:65535 and it still didnt work. DO i have to save the changes to the ipchains beofre it will work, because i noticed that when i reboot linux those entrys diapper.
I have a home network running and the linux box the dmz host of the router, and i need me computer to be able to load swat within the lan.
I tried entereing that stuff with the 1024:65535 and it still didnt work. DO i have to save the changes to the ipchains beofre it will work, because i noticed that when i reboot linux those entrys diapper.
Hi,
I've been using iptables for some time and have never used the RH firewall, but I believe it creates all the config files in /etc/sysconfig. I think there's a file /etc/sysconfig/ipchains and also files for each interface. For example, /etc/sysconfig/firewall.ifcfg-lo for the loopback interface. I suspect they are triggered via the sysv init system rather than from the actual /etc/rc.d/rc.sysinit boot-up script.
So, you could just try to configure the RH firewall using either 'lokkit' or 'gnome-lokkit' as commands for the latest one or 'firewall-config' for the one before that. If it doesn't make sense then you could either try to add some rules to the files used by the firewall (i.e. the /etc/sysconfig ones referred to above) or add them to a script of your own.
Easiest would be to add to commands to /etc/rc.d/rc.local . This iscript is designed for local customisation and is run right at the end of the boot process before you get the logon prompt. You'd just add the lines as shown before :
ipchains -A input -p tcp -d any/0 901 -j ACCEPT
ipchains -A forward -p tcp -d any/0 901 -j ACCEPT
ipchains -A output -p tcp ! -y -s any/0 901 -d any/0 -j ACCEPT
I've added a 'forward' rule there because I'm still not sure what's where in your setup.
And, yes, they do have to be in a file because they are not magically remembered as such - in fact all firewall scripts start by flushing existing chains anyway. Your only problem might be if the firewall scripts somehow ran again after normal sysinit then your rules in rc.local might be flushed away !
Hope this is clearer....
I've been using iptables for some time and have never used the RH firewall, but I believe it creates all the config files in /etc/sysconfig. I think there's a file /etc/sysconfig/ipchains and also files for each interface. For example, /etc/sysconfig/firewall.ifcfg-lo for the loopback interface. I suspect they are triggered via the sysv init system rather than from the actual /etc/rc.d/rc.sysinit boot-up script.
So, you could just try to configure the RH firewall using either 'lokkit' or 'gnome-lokkit' as commands for the latest one or 'firewall-config' for the one before that. If it doesn't make sense then you could either try to add some rules to the files used by the firewall (i.e. the /etc/sysconfig ones referred to above) or add them to a script of your own.
Easiest would be to add to commands to /etc/rc.d/rc.local . This iscript is designed for local customisation and is run right at the end of the boot process before you get the logon prompt. You'd just add the lines as shown before :
ipchains -A input -p tcp -d any/0 901 -j ACCEPT
ipchains -A forward -p tcp -d any/0 901 -j ACCEPT
ipchains -A output -p tcp ! -y -s any/0 901 -d any/0 -j ACCEPT
I've added a 'forward' rule there because I'm still not sure what's where in your setup.
And, yes, they do have to be in a file because they are not magically remembered as such - in fact all firewall scripts start by flushing existing chains anyway. Your only problem might be if the firewall scripts somehow ran again after normal sysinit then your rules in rc.local might be flushed away !
Hope this is clearer....
- Thread starter
- #14
THis is what i got when i tried to add the forward one:
[root@mmax sysconfig]# ipchains -A forward -p tcp -d any/0 901 -j ACCEPT
Warning: you must enable IP forwarding for packets to be forwarded at all:
Use `echo 1 > /proc/sys/net/ipv4/ip_forward'
[root@mmax sysconfig]# ipchains -A forward -p tcp -d any/0 901 -j ACCEPT
Warning: you must enable IP forwarding for packets to be forwarded at all:
Use `echo 1 > /proc/sys/net/ipv4/ip_forward'
Hi,
Yes, you do indeed require to do that command - it just puts a value of '1' (yes) into the 'file' in the /proc filesystem.
Normally, you would have that line in your firewall script. Or you can just type it from the command line :
echo 1 > /proc/sys/net/ipv4/ip_forward
There are some similar settings that can be used for firewalling but I won't bore you with them now...
Regards
Yes, you do indeed require to do that command - it just puts a value of '1' (yes) into the 'file' in the /proc filesystem.
Normally, you would have that line in your firewall script. Or you can just type it from the command line :
echo 1 > /proc/sys/net/ipv4/ip_forward
There are some similar settings that can be used for firewalling but I won't bore you with them now...
Regards
- Thread starter
- #16
- Status
Similar threads
