Link to home
Start Free TrialLog in
Avatar of bt74
bt74

asked on

Telnet Restriction Based on IP

I am using Redhat Linux 6.2 . I want to give telnet access only to my Intranet Users.
How can i deny telnet access from other servers. i think there may an option to reatrict Telnet access based on IP. How can i do it..

Waiting for an early reply.

 
ASKER CERTIFIED SOLUTION
Avatar of jlevie
jlevie

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
use rlogin, or much better ssh, instead
rlogin requires in.rlogind (sshd for ssh), then you can define restrictions globaly in /etc/hosts.equiv or per user i ~/.rhosts for rlogin, respectively in sshd.conf, ssh.conf and ~/.shost for ssh
Avatar of ifincham
ifincham

Hi,

I would do this with ipchains (2.2 kernel series) or iptables (2.4 series) firewalling, i.e. packet filtering. As you have Redhat 6.2 I'll assume you don't have iptables..

If you have no firewalling currently in place you would effectively have the following defaults :

ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward ACCEPT

You would do something like this :

ipchains -A input -i eth0 -p tcp -s 172.16.0.0/16 -d 172.16.1.1 23 -j ACCEPT

(input from interface (-i) eth0 with source address (-s) 172.16.x.x going to destination address /port (-d) 172.16.1.1:23 -> accept, i.e. allow)

ipchains -A output -i eth0 -p tcp ! -y -s 172.16.1.1 23 -d 172.16.0.0/16 1024:65535 -j ACCEPT

(output from 172.16.1.1 port 23 going to destination 172.16.x.x on any port in range 1024:65535 as long as not (!) syn bit set (-y) - i.e. not initiating from your box - accept)

ipchains -A input -i eth1 -p tcp -d 172.16.16.1 23 -j DENY

(input on interface eth1, tcp protocol, going to 172.16.16.1 port 23 - DENY)

In the above examples I've assumed eth0 for your lan, eth1 for your internet connex, 172.16.16.1 as your redhat box, port 23 for telnet (normal unless you changed it), and 172.16.0.0 mask 255.255.0.0 for your lan.

All you would do is add these 'ipchains' lines to the end of your /etc/rc.d/init.d/rc.local startup script Or create a script called something like /etc/rc.d/init.d/rc.firewall and call that from rc.local.

Ssh (Secure Shell) is indeed more secure but I would still firewall it from outside. You would also need your client machines to have a client implementation of ssh which may not be easy if they are windows boxes. Ssh runs on tcp port 22 incidentally and is a little more complex to firewall with ipchains.

To check active rules do the list option:

ipchains -L input
ipchains -L output
etc.

Hope this helps, Iain  

 

 
not bad: ipchains.

BUT keep in mind that this needs a special compiled kernel.
Also, using a packetfilter (ipchains, iptables, etc.) just for restricting some host using telnet is oversized, somehow.
AND ALSO if ipchains is setup correctly you still need to configure telnet and/or ssh.
You can restrict telnet access in your router config with
an access list.

Just a thought.

Rod
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if still open in seven days.  Please post closing recommendations before that time.

Question(s) below appears to have been abandoned. Your options are:
 
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
https://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  https://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and keep them updated as the collaboration effort continues, to maintain your open and locked questions.  If you are a  KnowledgePro user, use the Power Search option to find them.  Anytime you have questions which are LOCKED with a Proposed Answer which does not serve your needs, please reject it and add comments as to why.  In addition, when you do grade the question, if the grade is less than an A, please add a comment as to why.  This helps all involved, as well as future persons who may access this item for help.

To view your open questions, please click the following link(s) and keep them all current with updates.
https://www.experts-exchange.com/questions/Q.11761478.html
https://www.experts-exchange.com/questions/Q.11761498.html
https://www.experts-exchange.com/questions/Q.11939878.html
https://www.experts-exchange.com/questions/Q.11983098.html
https://www.experts-exchange.com/questions/Q.20036911.html
https://www.experts-exchange.com/questions/Q.20076314.html
https://www.experts-exchange.com/questions/Q.20081933.html
https://www.experts-exchange.com/questions/Q.20087002.html
https://www.experts-exchange.com/questions/Q.20096740.html
https://www.experts-exchange.com/questions/Q.20107721.html
https://www.experts-exchange.com/questions/Q.20122035.html
https://www.experts-exchange.com/questions/Q.20137701.html
https://www.experts-exchange.com/questions/Q.20142837.html
https://www.experts-exchange.com/questions/Q.20160168.html
https://www.experts-exchange.com/questions/Q.20229281.html
https://www.experts-exchange.com/questions/Q.20229282.html
https://www.experts-exchange.com/questions/Q.20239414.html
https://www.experts-exchange.com/questions/Q.20240363.html
https://www.experts-exchange.com/questions/Q.20240359.html
https://www.experts-exchange.com/questions/Q.20263732.html
https://www.experts-exchange.com/questions/Q.20270184.html
https://www.experts-exchange.com/questions/Q.20270186.html
https://www.experts-exchange.com/questions/Q.20278651.html
https://www.experts-exchange.com/questions/Q.20277653.html
https://www.experts-exchange.com/questions/Q.20282480.html
https://www.experts-exchange.com/questions/Q.20283128.html
https://www.experts-exchange.com/questions/Q.20283279.html
https://www.experts-exchange.com/questions/Q.20285563.html


To view your locked questions, please click the following link(s) and evaluate the proposed answer.
https://www.experts-exchange.com/questions/Q.11943438.html
https://www.experts-exchange.com/questions/Q.20149097.html
https://www.experts-exchange.com/questions/Q.11419338.html

**** PLEASE DO NOT AWARD THE POINTS TO ME. *****
 
------------>  EXPERTS:  Please leave your closing recommendations if this item remains inactive another seven (7) days.  If you are interested in the cleanup effort, please click this link https://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643 
POINTS FOR EXPERTS awaiting comments are listed here -> https://www.experts-exchange.com/commspt/Q.20277028.html
 

Moderators will finalize this question if still open in @7 days, by either moving this to the PAQ (Previously Asked Questions) at zero points, deleting it or awarding expert(s) when recommendations are made, or an independent determination can be made.  Expert input is always appreciated to determine the fair outcome.
 
Thank you everyone.
 
Moondancer
Moderator @ Experts Exchange
28 open questions, ZERO courtesy of response to follow up requests, most posted for 10 points (less than the 50 point recommendation for "easy" questions); all very disheartening!

Zero response by Asker nor Expert closing recommendations, therefore this was finalized today by Moondancer - EE Moderator