Hi all...
I've got a little problem with my Linux box, running RedHat 7.3

(I can't upgrade 'cause it's a production box, yeah... I've ever worked with linux and now all my company is working with it!!)

It rejects all connections from outside our lan...
I think is a problem of firewall... 'cause I can connect from outside to a ftp server runining over windows (just to probe if the problem was in linux box and not in router... don't worry) and even VNC too...
in Linux Box even a single ftp are rejected...
Any idea folks???

this appears when I connect from inside LAN:
abr 9 09:22:22 SrvOblanca su(pam_unix)[13546]: session opened for user root by
usuario(uid=500)
I think PAM is working... could it be rejecting my outside LAN conections???
What do u think?

try seeing if the firewall is setup:
ps -ef|grep ipchains
or
ps -ef|grep iptables
to find out which is running, then
ipchains (OR iptables) -L
will list the current settings.

Hi Criss and first of all, thanks for you quick reply and contribution.
I've both services stoped (ipchains and iptables).
Maybe I must have one enabled?
I've recentrly instaled a program called iptraf that shows me incoming conections to server port but there is not reply from the server to the incoming host address... So for any reason they are not even rejected.... (the prog gives me a timeout error...)
If something doesn't pass trough the firewall, it reply with access denied or it just gives a timeout???
thanks for your time and dedication!
Rob!

Generally speaking, to connect to a linux box, you need the relevant daemon to be listening and for the relevant port to be open. If neither ipchains nor iptables are running, the default is usually no blocking ie all ports open.
Have you got the ftp or whatever daemon running? Look in /etc/xinetd.d; this is the 'super daemon' that handles connections for telnet etc.
There's a file for each one in the dir. You need to set disable=no in the relevant file and restart xinetd.
Also, do
rpm -qa ipchains
rpm -qa iptables
to see if either is installed, then run the list cmd eg
ipchains -L

Go buy the book on firewalls for Linux:

Linux Firewalls by Ziegler

Published by New Riders

isbn#0-7357-1099-6

Then you will be a firewall expert
:)

That log entry was a successful su command.

Are you trying to ftp in as root? I don't remember how RH7.3 did it, but most distros don't allow remote access as root.

Try to ssh in as a normal user and see what it says, and while you're at it run tcpdump and see what packets your machine actually shows.

So it seems that you can access the box from your internal network but not from the external network. If this is the case then perhaps your router isn't forwarding traffic to the box that you're trying to connect to. Also, you should make sure that you're firewall isn't running as suggested above by using iptables -L or ipchains -L. It is also possible that the ports that you need to be open are closed on the router. You can check the ports quickly by using "nmap <external ip address of router>".

Joe

Hi all that are doing all this to help me! a special thanks to all you.
gonna try to reply to all your questions...
First of all, i've got both rpm's instaled, I ckecked with rpm -qe and both (ipchains and iptables) are installed, but not running...
'cause I've stoped thems using service (iptables/ipchains) stop
any way when I do a ipchains -L, linux reports me a error: Incompatible with this kernel (???)
About managing ports in the router, I've never discard this idea, but I can start a ftp sesion if the server is running in a box that is not linux (ie windows), I've tryied succesfull VNC in this same windows machine and works fine, so ports block I think is not the problem (anyway thanks, 'cause is the first probe anyone must do, before thinkin the problem is in linux box... so thanks)
About doing and iptables -L (I can't do ipchains -L due to the erro I comment above) the ACCEPT, REJECT and DENY options has not any way of restriction (is this right?, anyway the daemon or service are stoped)
About if I've got the service running... yes it is and I've got no prob accesing from the Lan as one of you say... 'course I know that root access are not allowed in most of cases but I put this here to you can see the (pam_unix) section in this... 'cause I think that most sure is PAM activated and is PAM who is blocking all this... gonna try to do some changes in /etc/pam.d/su in for example su command... anyway thanks all you.... and please if any idea or suggestion... it will be wellcome!

thanks all!

(gonna try too tcpdump...)

thanks for your contribution Abraham... I've got instaled another sniffer.... called iptraf in my linux box and it shows conections from the remote machine to the port 22 (I don't try of course to enter as root ) but the client in the Wan (that works great in the lan) gives me a timeout and I can see in the IP frames sent to port 22,21 or even 23 that arrives, but none are reply back... (strange... isn't it?)

Hi, I've been trying with PAM, but I think this is not the problem... I can do a lot of things, but just in order to authenticate the user.... I can disable any kind of authentication if I want... but, I see when sniffing that Ip packets arrives to my linux box, but none is sent back... I think now that the problem are in any kind of firewall... but iptables are blank and ipchains is not working because of my kernel doesn't support it! I've used the -F option to clear all kind or rules... what the sniffer say is that the client is sending a request of conect but not aknoledge packet is sent back... so the ip packet is blocked in any layer of the unix box... I don't know where...
So please... give me ideas....
Thanks a lot!!!!

Perhaps not a firewall, how about your /etc/hosts.deny and your /etc/hosts.allow? If there's no firewall tcpwrappers will still protect your services from access regardless of the user's login or password. PAM is used purely for authentication purposes so if PAM were denying you access you would at least get a prompt for your login and password. What you can also try is check your logs in /var/log to see which connections were rejected and why.

Joe

Hi Joe, thanks for your time.
hosts.deny is clean (except for comments) and hosts.allow has the line
ALL:ALL
incoming conections are rejected by timeout (as I say the linux box doesn't reply to the four conection frames that recibes)
As I say before, setting up a ftp server in a windows machine works perfect...
any other idea please!!!!
And thanks to everyone that is contributing or just reading this...
(gonna make a whoto before all this...)
Rob

if this could help you for something:
when I try to stop the ipchain service it say:
(using /sbin/service ipchains stop)


Flushing all chains: ipchains: Incompatible with this kernel
[FALLË]
Removing user defined chains: ipchains: Incompatible with this kernel
[FALLË]
Reiniciar las cadenas incorporadas a la polÝtica predeterminada de ACEPTACIËN:ip
chains: Protocol not available
[FALLË]

It's in spanish, but I think it's easy to understand except last line (FALLE = FAIL)

Do you think I must reinstall ipchain with last version???

If you can access your Linux box from your internal network and you don't have a firewall running, and your /etc/hosts.deny and your hosts.allow don't keep you from accessing the system from external addresses then I don't think the problem is with your Linux box. Check the settings on your router. When you say that you've setup an ftp server on the Windows box it could be that the router is forwarding traffic to that Windows machine and not to your Linux box.

Joe

I think I know what's happening...
Thanks joe and all this people in this forum that has just read this tread and specially to all you ones that have contributed...
I think the problem is the proxy the linux box has not working with support to all ports... so is the proxy who don't send the packages out the Lan... Gonna try to change the TCP propierties to exit directrly from the gateway the proxy are using and not use any kind of proxy..
Will make you know what happen....
Rob

And finally it works!
The reason for a non reply was because the linux box can't reply...
I analized all the task involved in a comunication except one... the reply...
Until now we was all accesing lan trough a proxy (so I don't need to copy all DNS in windows and linux boxes). Unafortunately this proxy was placed in a Windows machine runing a freeware distribution that doesn't allow proxy all ports... That was the reason for not connecting to the remote host! Of course the linux machine can't send the aknoledge for conexion.... The windows machine where I probe the FTP was where I have the proxy!!!
To finish all this... tnaks to all you and... well my house is our house.... so if someone plain a travel to spain... don't spend money in hotels!!! (just for contributors!!! -:))

Bye, bye!!!!