Telnet Restriction Based on IP

Posted on 2001-07-30
Last Modified: 2010-03-18
I am using Redhat Linux 6.2 . I want to give telnet access only to my Intranet Users.
How can i deny telnet access from other servers. i think there may an option to reatrict Telnet access based on IP. How can i do it..

Waiting for an early reply.

Question by:bt74
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 40

Accepted Solution

jlevie earned 10 total points
ID: 6334395
You can use tcpwrappers to restrict access to specific IP's. The restrictions are implemented by placing lines like:

in.telnetd:   host.domain.tld
in.telnetd:   .domain.tld

in /etc/hosts.allow. The first and second lines allow a specific host access to telnet, the last allows anyone at domain.tld access. For more information see "man hosts.allow".
LVL 51

Expert Comment

ID: 6334715
use rlogin, or much better ssh, instead
rlogin requires in.rlogind (sshd for ssh), then you can define restrictions globaly in /etc/hosts.equiv or per user i ~/.rhosts for rlogin, respectively in sshd.conf, ssh.conf and ~/.shost for ssh

Expert Comment

ID: 6336799

I would do this with ipchains (2.2 kernel series) or iptables (2.4 series) firewalling, i.e. packet filtering. As you have Redhat 6.2 I'll assume you don't have iptables..

If you have no firewalling currently in place you would effectively have the following defaults :

ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

You would do something like this :

ipchains -A input -i eth0 -p tcp -s -d 23 -j ACCEPT

(input from interface (-i) eth0 with source address (-s) 172.16.x.x going to destination address /port (-d) -> accept, i.e. allow)

ipchains -A output -i eth0 -p tcp ! -y -s 23 -d 1024:65535 -j ACCEPT

(output from port 23 going to destination 172.16.x.x on any port in range 1024:65535 as long as not (!) syn bit set (-y) - i.e. not initiating from your box - accept)

ipchains -A input -i eth1 -p tcp -d 23 -j DENY

(input on interface eth1, tcp protocol, going to port 23 - DENY)

In the above examples I've assumed eth0 for your lan, eth1 for your internet connex, as your redhat box, port 23 for telnet (normal unless you changed it), and mask for your lan.

All you would do is add these 'ipchains' lines to the end of your /etc/rc.d/init.d/rc.local startup script Or create a script called something like /etc/rc.d/init.d/rc.firewall and call that from rc.local.

Ssh (Secure Shell) is indeed more secure but I would still firewall it from outside. You would also need your client machines to have a client implementation of ssh which may not be easy if they are windows boxes. Ssh runs on tcp port 22 incidentally and is a little more complex to firewall with ipchains.

To check active rules do the list option:

ipchains -L input
ipchains -L output

Hope this helps, Iain  


The Orion Papers

Are you interested in becoming an AWS Certified Solutions Architect?

Discover a new interactive way of training for the exam.

LVL 51

Expert Comment

ID: 6339972
not bad: ipchains.

BUT keep in mind that this needs a special compiled kernel.
Also, using a packetfilter (ipchains, iptables, etc.) just for restricting some host using telnet is oversized, somehow.
AND ALSO if ipchains is setup correctly you still need to configure telnet and/or ssh.

Expert Comment

ID: 6344771
You can restrict telnet access in your router config with
an access list.

Just a thought.


Expert Comment

ID: 6938055
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if still open in seven days.  Please post closing recommendations before that time.

Question(s) below appears to have been abandoned. Your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.

Click you Member Profile to view your question history and keep them updated as the collaboration effort continues, to maintain your open and locked questions.  If you are a  KnowledgePro user, use the Power Search option to find them.  Anytime you have questions which are LOCKED with a Proposed Answer which does not serve your needs, please reject it and add comments as to why.  In addition, when you do grade the question, if the grade is less than an A, please add a comment as to why.  This helps all involved, as well as future persons who may access this item for help.

To view your open questions, please click the following link(s) and keep them all current with updates.

To view your locked questions, please click the following link(s) and evaluate the proposed answer.

------------>  EXPERTS:  Please leave your closing recommendations if this item remains inactive another seven (7) days.  If you are interested in the cleanup effort, please click this link 
POINTS FOR EXPERTS awaiting comments are listed here ->

Moderators will finalize this question if still open in @7 days, by either moving this to the PAQ (Previously Asked Questions) at zero points, deleting it or awarding expert(s) when recommendations are made, or an independent determination can be made.  Expert input is always appreciated to determine the fair outcome.
Thank you everyone.
Moderator @ Experts Exchange

Expert Comment

ID: 7020048
28 open questions, ZERO courtesy of response to follow up requests, most posted for 10 points (less than the 50 point recommendation for "easy" questions); all very disheartening!

Zero response by Asker nor Expert closing recommendations, therefore this was finalized today by Moondancer - EE Moderator

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question