Linux: xinetd & web services not available to other comp

[fishy101]

Just thought I would try this here:

I just install RedHat 7.1 on a win98 machine in my office's internal network. Everything works fine except all the xinet services are not available to other computers on the network. I can surf the web, ping any computers inside of outside of company firewall and other computers can ping the linux box. I can also telnet into localhost. BUT when I try to telnet/ftp/http/ssh into my linux machine from other computers on my company's network, I get a connection refused error. I have the following network config:


eth0 Link encap:Ethernet HWaddr 00:C0:4F:41:CE:52
inet addr:130.154.2.35 Bcast:130.154.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2434 errors:0 dropped:0 overruns:0 frame:0
TX packets:717 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:11 Base address:0xdc00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:102 errors:0 dropped:0 overruns:0 frame:0
TX packets:102 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

Since I can telnet/ftp/ssh/http into localhost, I am assuming it's not a problem with the services, but rather a problem with my network configuration. However, I am puzzled as to why I can ping and be pinged, but the services won't accept outside computers. Any help is appreciated as I am on a deadline. Thanks.

Leon

p.s. Here is a copy of my config file in /etc/xinetd.d/

# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}

 

[n0cmonkey]

Make sure there isnt anything blocking it in /etc/hosts.deny

 

[fishy101]

Hey, thanks for replying so quickly. This place is more alive than I think.

I did check hosts.deny. It's blank.

 

[n0cmonkey]

Try portscanning the machine. Also, you may want to edit the ip address out of your original post if it is not an internal ip.

 

[Agamar]

This may sound bad, but make sure you have the httpd service started. /etc/rc.d/inet.d/httpd start/restart/stop

 

[rawko]

run `config` and disable the firewall

 

[fishy101]

n0cmonkey:

Thanks for the heads up, the IP listed above is an internal IP. btw, how do I do a portscan?

Agamar:

The services are running fine, it seems, from chkconfig. I can do this, lynx localhost/<comp_name> and get to my homepage.

rawko:

per you suggestion, I disable IPCHAINS and IPTABLES(I don't know much about neither, but I turn them off w/ chkconfig) but the problem persist. What can I do next to troubleshoot this damn thing?

 

[Gantry]

This certainly seems like an issue with your internal firewall (especially since redhat 7.1 which installs one on startup). Even if you disabled it from startup, you need to clear out the firewall rules or else it won't apply until a reboot. The commands to use are:

/sbin/ipchains -L

That will list your current firewall setup

/sbin/ipchains -F

That will flush your firewall setup and allow anything in or out...

Try that and see if it works... Good luck...

 

[FFC]

The wholse security set-up changed with 7.1 as you have discovered. You need to changed your xinetd.conf in /etc to reflect the services you wish to be available.

Firstly I think the config file needs to be in /etc and as you say is called xinetd.conf.

It needs to contain a line point at the directory the various service security config files reside in for example

includedir /etc/xinetd.d

My whole config file looks like this:


------------------------------snip---------------------------------------------------------------------

defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST RECORD
}

service tftp
{
disable = no
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /data/tftpboot/
}
includedir /etc/xinetd.d

-------------------------------------snip------------------------------------------------------------------------

In the /etc/xinetd.d directory there are files for each service which define it's security my telnet file looks like this:

service telnet
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
}

I'm a complete novice at this and it took me a couple of hours of hunting the web for answers to get it going. I got my best results searching on google for xinetd.conf.

I hope this helps.

 

[fishy101]

Gantry, you are my hero! It worked after I flushed the ipchain settings. Now why the hell would Redhat have such prohibitive default settings, especially on a server install!? In any case, thanks for everyone's help.

 

[Gantry]

I'm guessing since he can use the xinetd services on localhost, the issue isn't in the xinetd configuration. I could be wrong though, but definitely flush those IPCHAINS rules (or better yet, add a rule for the services you want to share)...

 

[Gantry]

Fishy:

Redhat adds firewall services to the default install because of things like the Ramen and lion worms. Too often people end up running a bunch of services that nobody needs because the installation does that for them. Consider how many people had IIS running and didn't know it (still don't according to my apache logs) when the nimda and code red virii came out....

Firewalls can be a pain at times, but they are a good thing...

BTW - The redhat install lets you choose which ports the firewall should leave open...

 

[n0cmonkey]

<< Fishy:Redhat adds firewall services to the default install because of things like the Ramen and lion worms. >>



Because they fscked up the first time

 

[fishy101]

yeah, actually I was just trying to find someone to blame for my stupidy. I shoulda known it's a firewall issue since I can get to the service from inside, but not from outside.

EDIT:

while I got you guys' attentions, let me ask you another question. If I install Redhat on a slave drive initially, can I take that slave drive and use it as a master drive to boot up another machine? I am thinking even if that doesn't work automatically, I should at least be able to do it with a boot disk to mount the disk at boot time. Is that right?

 

[n0cmonkey]

<< yeah, actually I was just trying to find someone to blame for my stupidy. I shoulda known it's a firewall issue since I can get to the service from inside, but not from outside. >>



I thought of it too, but I didnt think they would enable a firewall by default...



<< EDIT:

while I got you guys' attentions, let me ask you another question. If I install Redhat on a slave drive initially, can I take that slave drive and use it as a master drive to boot up another machine? I am thinking even if that doesn't work automatically, I should at least be able to do it with a boot disk to mount the disk at boot time. Is that right? >>



The only change I can think of right off the top of my head is /etc/fstab. All you would have to do is change the mount point configurations around a little bit. Not too hard.