Linux Mint Forums

by **Pumalite** on Sat Jun 30, 2007 10:04 am

Trying to use 'sh' protocol or 'fish' in Konqueror. Need port 22 open. Any help will be much appreciated.

by **scorp123** on Sat Jun 30, 2007 10:32 am

It would help if you could be more specific :roll:

Why did you install IPTables in the first place when you don't know how to handle it?

Also, are you sure that SSH is running? Doesn't sound like it.

by **Pumalite** on Sat Jun 30, 2007 11:23 am

You might be right. I'm a newbie. One of the Gurus in this forum told me that iptables came in Mint enabled by default closing all ports. I also know that I used 'fish' in Konqueror with port 22 open from box with Ubuntu in to box with Suse 10.2, where I had to open port 22 in Firestarter. Since then I erased Suse and I installed Mint. When I tried the same from box with Ubuntu, it gave me error. In a word, I need guidance. All I want to do is transfer files. 'fish' in Konqueror, which I think is another expression of ssh, allowed me to do that. So, please help. Do I need to 'install' ssh in Mint?

by **Pumalite** on Sat Jun 30, 2007 11:32 am

ssh is installed. I think is a matter of port 22 being closed or the need to grant permission of some kind in Mint. Any ideas.

by **Pumalite** on Sat Jun 30, 2007 11:39 am

Sorry, I have Azureus working, so, ports are open. The problem lies apparently somewhere else. Any help with permissions to be open to the home LAN will be much appreciated.

by **900i** on Sat Jun 30, 2007 2:01 pm

To ssh into your mint box you need to install the ssh package with Synaptic on the mint box you are trying to connect to first, the server part is not installed by default in mint, but I think the client is. I know this because I couldn't ssh into one of my mint boxes without first installing ssh on the box I was trying to get into, and after it was installed it worked.

Correction, The openssh client is installed, it's the openssh server you need to install on the box you are trying to connect to.

by **Husse** on Sat Jun 30, 2007 2:24 pm

In this case the normally so reliable scorp123 was not reliable - to my knowledge iptables are incorporated in the 2.4.x and 2.6.x kernels and normally enabled in the kernel, which then makes this default for all Linux (Hope scorp doesn't slap me on my fingers

)
Second if you make a call through any port it will (of course) be open for an answer to your call.
FTP has a problem as it calls on one port and expects the answer on another (not just 20 and 21). If the answer comes on another port than the call it may be seen as illegitimate - but I believe this is solved in iptables
Sorry for the detour.
If you have installed programs that uses the same port as described above and has the same privileges they should communicate (I don't know what happens if one program is run under normal user privileges and the other with sudo, or if it matters at all

)

OH - you could edit (if that's the term) iptables, but that's a real pain in... to do

by **Pumalite** on Sat Jun 30, 2007 3:33 pm

Thanks a lot for your replies guys. I really appreciate it. You are both right, but the answer lied somewhere else. after checking everything I came to the conclusion that my Ubuntu box was keeping the key of the old suse, and since the keys now weren't corresponding, it would deny me the connection. It turn out I was right; I went fishing for the old key and found it in/home/<username>/~shh/known_hosts. So, I went and deleted it. Tried again, and BOOM!!; I'm in.

by **scorp123** on Sat Jun 30, 2007 4:06 pm

Pumalite wrote:ssh is installed.

Please give me the output of these commands (copy & paste):

Code: Select all: sudo lsof -n -i -P

Code: Select all: sudo netstat -ln

Code: Select all: sudo iptables -L

by **scorp123** on Sat Jun 30, 2007 4:09 pm

Husse wrote: In this case the normally so reliable scorp123 was not reliable - to my knowledge iptables are incorporated in the 2.4.x and 2.6.x kernels and normally enabled in the kernel

I will kill you. :lol:

It's there in the kernel - yes. It's enabled - yes. But unless you define any firewall rules iptables will just sit there and do nothing. It doesn't block anything unless you tell it to do so.

Husse wrote: (Hope scorp doesn't slap me on my fingers

I think I just did that .... :lol:

by **scorp123** on Sat Jun 30, 2007 4:12 pm

Pumalite wrote: Tried again, and BOOM!!; I'm in.

ah OK .... Hint: In the future always try the console too .... e.g. ssh youruser@remotehost .... Chances are that if there is any such error that you will see it in the console. GUI tools just "don't work" all of a sudden but they usually don't show any error message. Console tools always spit out error messages if something bothers them. So it's always worth trying a console connection too if "fish://" fails

by **Pumalite** on Sat Jun 30, 2007 4:54 pm

Thanks for the reply and the tip. The command 'sudo lsof -n -i -P' is of a rather private nature so I prefer not to divulge, but believe me: shh is there.

pumalite@pumalite-desktop:~$ sudo lsof -n -i -P
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

pumalite@pumalite-desktop:~$ sudo netstat -in
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg

pumalite@pumalite-desktop:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
pumalite@pumalite-desktop:~$

Hope it helps.

by **Husse** on Sat Jun 30, 2007 6:07 pm

But unless you define any firewall rules iptables will just sit there and do nothing. It doesn't block anything unless you tell it to do so.

Damned - I clearly remember reading it is set to drop everything from "the outside world" as default - and I may have read that - not everything you read is true :lol:

Anyway I use the ALL:ALL command in hosts.deny - but that is not iptables :lol:

(or?

)

by **scorp123** on Sat Jun 30, 2007 6:53 pm

Pumalite wrote: 'sudo lsof -n -i -P' is of a rather private nature so I prefer not to divulge ....

Bullsh* .... :lol:

It should give the same results as netstat -ln (which you were willing to divulge it seems?) :lol:

..... The difference being that lsof looks at "open files" (hence the name: list of open files) and by the parameters "-n -i -P" we limit that list to network stuff (everything is a "file" under UNIX-like OS!). netstat on the other hand passes through the network stack, e.g. it talks to the kernel and the TCP/IP stack to get the infos.

Under normal conditions both commands should produce a more or less identical list .... but I have seen "interesting" scenarios where the two may all of a sudden produce lists that differ .... and that's where it gets interesting. e.g. lsof won't list stuff that really isn't open (as its name suggests!), regardless of what the TCP/IP stack is saying about this. That's where it gets interesting: When the two commands are not of the same opinion what's open and what's not :lol:

Pumalite wrote: pumalite@pumalite-desktop:~$ sudo lsof -n -i -P
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

What's the point posting this when you cut out the interesting parts?? :roll:

Pumalite wrote: sudo netstat -in

I did not ask for that command .... :roll:

See above. Copy & paste please. Especially if you apparently can't tell the difference between "i" and "l" .... Hint: If I had wanted a "i" I would have put it there myself :wink:

But I asked for a "l" because that's the precise parameter that's needed. And on UNIX-like OS defining the precise parameter is everything :wink:

Pumalite wrote: pumalite@pumalite-desktop:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
pumalite@pumalite-desktop:~$

This shows that there is no active firewall rule whatsoever, and hence iptables isn't blocking anything.
.
.
.
.
.

by **scorp123** on Sat Jun 30, 2007 7:08 pm

Husse wrote: Anyway I use the ALL:ALL command in hosts.deny - but that is not iptables (or? )

Nope. That's just a "packet filter" (the difference being that a real "firewall" is supposed to be stateful and to always know who initiated what connection ... a "packet filter" doesn't care about that, it just filters ...) that hooks into a package called tcpwrappers ... It filters connection attempts based on those simple rules (e.g. "sshd: ALL" in /etc/hosts.deny ...) you define, but that's nowhere close to the sophisticated methods a real firewall can provide.

But then again a well written "hosts.deny" is all you as end-user need in 99.99% of the cases.

Another thing worth to look at: fail2ban .... Very interesting package. Check it out :wink:

by **Pumalite** on Sat Jun 30, 2007 9:42 pm

Sorry for the mistake. I just didn't want to publish my IP and all the channels that I had open or from where. But, it was all open.

by **scorp123** on Sun Jul 01, 2007 5:01 pm

Pumalite wrote:I just didn't want to publish my IP

Chances are that you are using a private range (RFC 1918) IP address anyway (e.g. 192.168.1.* or 172.16.*.* or 10.*.*.* ...?) because you are most likely behind a router? :wink:

Glad to hear that everything is working for you.

by **Pumalite** on Tue Jul 03, 2007 7:40 pm

Thank you. You are right. I'm behind a router. Everything is working great with LinuxMint BTW. Together with Ubuntu ( no surprise there ) are the most satisfying distros that I have found. Mint is a keeper.

by **baomike** on Sat Jul 07, 2007 1:17 am

It is easier if you put the commands in an executable file.
Run it after you boot. Sets up iptables the same each time, easy to modify with a text editor.

like:
iptables -F
iptables -t nat -F
iptables -t filter -F INPUT #this clears the 3 chains in the "filter"
iptables -t filter -F FORWARD #table
iptables -t filter -F OUTPUT
#iptables -P FORWARD DROP

iptables -t filter -A INPUT -p udp -i eth0 --dport 2967 -j DROP
iptables -t filter -A INPUT -p tcp -i eth0 --dport 2967 -j DROP #symantec hole 27NOV06
#iptables -t filter -A INPUT -p udp -i eth0 --dport 15169 -j DROP
#iptables -t filter -A INPUT -p tcp -i eth0 --dport 15169 -j DROP
#iptables -t filter -A INPUT -p udp -i eth1 --sport 15161 -j DROP
#iptables -t filter -A INPUT -p tcp -i eth1 --sport 15161 -j DROP
#iptables -t filter -A OUTPUT -p udp -o eth0 --sport 15169 -j DROP
#iptables -t filter -A OUTPUT -p tcp -o eth0 --sport 15169 -j DROP
iptables -t filter -A INPUT -s 86.0.0.0/8 -j DROP # JSC-MOLDTELECOM-SA-jiangsu
#iptables -t filter -A INPUT -s 221.0.0.0/8 -j DROP # CMNET-jiangsu
#iptables -t filter -A INPUT -s 218.0.0.0/8 -j DROP # Korea Telecom
#iptables -t filter -A INPUT -s 59.189.0.0/16 -j DROP # StarHub Cable Vision Ltd Singapore

lines wth "#" are remarked out.
The first 6 lines clear all the tables.

by **scorp123** on Sat Jul 07, 2007 10:10 am

baomike wrote: Run it after you boot.

Could you please explain those firewall rules in your example to us? I think that would be helpful for forum members who are interested to learn these things and e.g. write their own scripts.

And you should mention that people shouldn't blindly copy & paste that script ... :wink:

Linux Mint Forums

Port 22 How to open it?

Port 22 How to open it?

OH - you could edit (if that's the term) iptables,

Re: OH - you could edit (if that's the term) iptables,

Who is online