Hey UUG!,
I am having trouble getting a box (I'll refer to it as the server) at my
house set up as a cvs server. I am pretty sure the problem is the
firewall running directly on the box (iptables). It is behind a router
so I have traffic on TCP port 2401 being forwarded to it. I am pretty
sure we don't need to worry about the router being the problem because I
am also forwarding traffic on TCP port 80 to the same box and it is
dishing out web pages just fine.
Some background to the server I am having problems with: It has cvs
installed. It is running
Fedora Core 5 with a minimal number of installed packages. There exists
a group called cvs
and a user called dmcquay who is a member of the group. The cvs group
owns the cvs repository.
=================================================================
$ uname -a
Linux gateway-tablet.app.byu.edu 2.6.17-1.2187_FC5 #1 Mon Sep 11
01:17:06 EDT 2006 i686 athlon i386 GNU/Linux
$ cvs --version
Concurrent Versions System (CVS) 1.11.22 (client/server)
=================================================================
I set up a cvs repository on the server just fine. Then on my laptop I
did the following-
=================================================================
$ export CVSROOT=:pserver:[EMAIL PROTECTED]:/var/cvs
$ cvs login
Logging in to :pserver:[EMAIL PROTECTED]:2401/var/cvs
CVS password:
cvs [login aborted]: connect to myserver.mydomain.org(64.20.33.115):2401
failed: Connection refused
=================================================================
Here is some info about the CVS repository I set up-
=================================================================
$ cd /var
$ ll | grep cvs
drwxr-xr-x 3 root cvs 4096 Nov 18 17:00 cvs
$ ll cvs
total 8
drwxrwxr-x 3 root cvs 4096 Nov 18 17:00 CVSROOT
=================================================================
I didn't know why this was failing, so I ran nmap from my laptop and got
the following-
=================================================================
$ nmap synchros.dynsns.org -p 2401
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-12-01 09:44 MST
Interesting ports on 64.20.33.4:
PORT STATE SERVICE
2401/tcp closed cvspserver
=================================================================
So I tried to open up port 2401 using the system-config-securitylevel
command. Pay special
attention to the Other ports section of the firewall configuration-
=================================================================
$ system-config-securitylevel
┌─────────────────┤ Firewall Configuration - Customize ├─────────────────┐
│ │
│ You can customize your firewall in two ways. First, you can select │
│ to allow all traffic from certain network interfaces. Second, you │
│ can allow certain protocols explicitly through the firewall. Specify │
│ additional ports in the form 'service:protocol', such as 'imap:tcp'. │
│ │
│ Trusted Devices: [ ] eth0 │
│ │
│ MASQUERADE Devices: [ ] eth0 │
│ │
│ [*] SSH [*] Telnet [*] FTP │
│ Allow incoming: [*] WWW (HTTP) [*] Samba [*] Mail (SMTP) │
│ [*] Secure WWW (HTTPS) │
│ Other ports cvspserver:tcp___________ │
│ │
│ ┌────┐ │
│ │ OK │ │
│ └────┘ │
│ │
│ │
└────────────────────────────────────────────────────────────────────────┘
$ /sbin/service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]ntrack_ftp
=================================================================
Then I checked nmap again to see if that opened up the port. Nope. One
time I was able
to get it to say filtered, but not open and the CVS login still wouldn't
work when the state
was filtered. I am guessing it needs to be open-
=================================================================
$ nmap mybox.mydomain.org -p 2401
Starting Nmap 4.00 ( http://www.insecure.org/nmap/ ) at 2006-12-01 09:31 MST
Interesting ports on noptr.cpxserver.com (64.20.49.210):
PORT STATE SERVICE
2401/tcp closed cvspserver
=================================================================
Then I tried doing the cvs login again. This time the response the same-
=================================================================
$ export CVSROOT=:pserver:[EMAIL PROTECTED]:/var/cvs
$ cvs login
Logging in to :pserver:[EMAIL PROTECTED]:2401/var/cvs
CVS password:
cvs [login aborted]: connect to myserver.mydomain.org(64.20.33.115):2401
failed: Connection refused
=================================================================
I also got some informtion from IP tables which seems to show that
cvspserver should be open
just like the others.
=================================================================
$ /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:cvspserver
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere state NEW udp dpt:netbios-dgm
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
=================================================================
It seemed odd to me that nmap sees the port as closed, yet iptables
reports it as opened. So,
just to rule the router out of the equation, I installed and ran nmap on
localhost port 2401
from the server-
=================================================================
$ nmap localhost -p 2401
Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-12-01 10:18 MST
Interesting ports on synchros.dyndns.org (127.0.0.1):
PORT STATE SERVICE
2401/tcp closed cvspserver
=================================================================
I just don't know what is going on. I tried messing with iptables on the
command line
instead of using the system-config-securitylevel command. That didn't
fix the problem.
Plus, it looks like iptables is reporting that port as open anyway. The
problem must be somewhere
else. Why can't I get an "open" status for port 2401 in nmap and why
can't I do a cvs login?
I'm so confused. Any help would be greatly appreciated.
Thanks in advance,
Dustin McQuay
--------------------
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the responsibility of their
author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG.
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
