How to open a port for TELNET in local network

[danielti]

Hi,

First of all, I am not a experienced iptables admin and I need that the computers from my local network access a remote server using the port 5003.
The network has a iptables firewall running in a CentOs OS.

Here are the configs :

/etc/sysconfig/iptables

Code: Select all

# Completed on Mon Oct 26 10:35:20 2015
# Generated by iptables-save v1.4.7 on Mon Oct 26 10:35:20 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [236:12060]
:OUTPUT ACCEPT [9547:13141729]
-A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
-A INPUT -s 192.168.0.0/24 -i ppp0 -j DROP
-A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i eth1 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4922 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -m state --state INVALID -j DROP
-A FORWARD -i ppp0 -m state --state INVALID -j DROP
-A FORWARD -s 192.168.1.151/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -s 192.168.1.151/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 995 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 587 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 7700 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 8800 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 8801 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3456 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3050 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3059 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 3306 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.10.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.10.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -s 192.168.10.1/32 -d 192.168.0.0/24 -p udp -m udp --sport 53 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 587 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 25 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 110 -j ACCEPT
-A FORWARD -p tcp -m tcp --sport 587 -j ACCEPT
COMMIT
# Completed on Mon Oct 26 10:35:20 2015

iptables -L :

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  10.0.0.0/8           anywhere
DROP       all  --  192.168.0.0/24       anywhere
DROP       all  --  172.16.0.0/12        anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4922
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndmp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere            state INVALID

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            state INVALID
ACCEPT     tcp  --  192.168.1.151        anywhere            tcp dpt:http
ACCEPT     tcp  --  192.168.1.151        anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3s
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:submission
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:em7-secom
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:sunwebadmin
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8801
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:vat
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:gds_db
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:qsoft
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:mysql
ACCEPT     udp  --  192.168.0.0/24       192.168.10.1        udp dpt:domain
ACCEPT     udp  --  192.168.0.0/24       192.168.10.1        udp dpt:domain
ACCEPT     udp  --  192.168.10.1         192.168.0.0/24      udp spt:domain
ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp dpt:smtp
ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp dpt:pop3
ACCEPT     tcp  --  192.168.0.0/24       anywhere            tcp dpt:submission
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:pop3
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:submission

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I tried a lot of things that didn't work. Can you help me, please?
I know that TELNET is not good, but in this case is necessary...

Thanks

[TrevorH]

You need to amend iptables on the server that accepts connections on port 5003 not on the one that you are telnetting from. Were those iptables rules from that server or from the client trying to use telnet?

[danielti]

I need to configure iptables to allow the users from my network to connect to a remote server on port 5003.
Those listed rules are from the server which is the network firewall.

Thanks

[TrevorH]

Then you are not telling us the whole story about your network topology. From one machine that's in the same subnet as another one, nothing will go through a third machine to go from one to the other.

[Whoever]

I need to configure iptables to allow the users from my network to connect to a remote server on port 5003.
Those listed rules are from the server which is the network firewall.

Thanks

I am sorry if this sounds condescending, but if you don't know how to do this, you have no business administering a firewall that isn't an appliance.

You need to add the following to /etc/sysconfig/iptables

Code: Select all

-A FORWARD -p tcp -m tcp --dport 5003 -j ACCEPT

This should be put in the file just before the "COMMIT" line.

[danielti]

I need to configure iptables to allow the users from my network to connect to a remote server on port 5003.
Those listed rules are from the server which is the network firewall.

Thanks

I am sorry if this sounds condescending, but if you don't know how to do this, you have no business administering a firewall that isn't an appliance.

You need to add the following to /etc/sysconfig/iptables

Code: Select all

-A FORWARD -p tcp -m tcp --dport 5003 -j ACCEPT

This should be put in the file just before the "COMMIT" line.

I tried that before and it didn't work...

[danielti]

Then you are not telling us the whole story about your network topology. From one machine that's in the same subnet as another one, nothing will go through a third machine to go from one to the other.

I have a local network with 192.168.1.x
The gateway, is 192.168.1.1, where the firewall is.
I want to access a remote server on port 5003 with TELNET from my local network.

[TrevorH]

Yes, you need to adjust the rules on the remote server. If you do not then you will not be able to access it. If you have a linux based firewall inbetween you and them then you need to adjust the rules on that that allow the forwarding of packets on that port - so if that's what those rules were that you posted then you also need one in the FORWARD chain that allows the forwarding of tcp port 5003 packets.

[danielti]

Yes, you need to adjust the rules on the remote server. If you do not then you will not be able to access it. If you have a linux based firewall inbetween you and them then you need to adjust the rules on that that allow the forwarding of packets on that port - so if that's what those rules were that you posted then you also need one in the FORWARD chain that allows the forwarding of tcp port 5003 packets.

Thanks for the help, but I already knew that.
I tried "-A FORWARD -p tcp -m tcp --dport 5003 -j ACCEPT" in /etc/sysconfig/iptables before, which should work but it is not working.
The remote server is allowing connections. I tested from another network and the connection is OK.

[TrevorH]

Amending that file does nothing unless you restart the iptables service to pick it up. Be aware that doing that while people are using it will be service affecting. You can also run iptables -A FORWARD -p tcp -m tcp --dport 5003 -j ACCEPT to amend the running ruleset without restarting the service.

Whenever you amend iptables rules it is best to use the iptables command directly to affect the running rules. That way if you got it wrong and lock everyone out then you can reboot the machine or restart the service and it will come back up using the old rules from /etc/sysconfig/iptables. Once you've verified that the manually added rules work and do what you expect then you can run service iptables save to save the running rules to /etc/sysconfig/iptables so that they persist over reboots.