On 09/28/2018 04:04 AM, patrickyu wrote:[color=blue]
hi ab
The purpose is ‘-testing firewalls by ensuring aTCP conection can be
setup-’ from serverA to serverB, both installed Suse Linux 12SP2. Tried
to run telnet on serverA:telnet serverB port# but failed, so I try to[/color]
Telnet is an outdated insecure abomination; it’s there on the system, but
you’re better off using netcat since it does a lot more (telnet client is
just an insecure client similar to rsh or ftp), is binary safe with data,
and can also do what telnet does (there’s a switch to emulate it).
First some assumptions:
I assume you are acting in the role of the OS and network guy, not
necessarily running the desired “service” (listening server process) at
this time. In other words, the boxes are built, the firewalls are in
place, and you want to know that once you have service A on box/server A
running, will client application B on box B be able to access it with all
firewalls current in place?
In order to do that test you need something to listen on the correct port,
as you know, and I am assuming that service is not yet in place. If it is
in place, and listening, then this first part of setting up netcat as a
listener is not needed, but using netcat as the listener is one of my
favorite things for firewall testing because it usually bows app owners’
minds, as they only think about having their specific application in place
for this testing, and of course that’s not true when you are only testing
up through layer four (4) (Transport) of the OSI model.
To make netcat listen on SLES 12 we already know the command:
nc -k -l 12345
Note that I added the ‘-k’ in there so netcat will not immediately stop
listening when the first client disconnects. This may be useful to you so
you can test one client, disconnect, test another, disconnect, etc. It
also means that, to end the server side, you cannot just make one
connection from the client and disconnect, so it is much more service-like
because normally services do not stop when the first client disconnects.
Note that you cannot connect multiple clients at once (in parallel) but
you can do so serially (one after another).
Also note that, unless you use a port lower than 1024, you do not need
‘root’ privileges to do this. SSH in particular uses TCP 22, so if you
are doing SSH stuff, test with sudo (or ‘root’ directly) or you will get
errors when you run the command above:
sudo nc -k -l 12345
Before you go to the client side, you can also verify that the server side
is listening with the ‘ss’ command:
/usr/sbin/ss -plaento | grep :12345
You should see something like this:
LISTEN 0 1 *:12345 *:*
users:(("nc",pid=19871,fd=3)) uid:1000 ino:4411763 sk:5e <->
Note that it shows the process name (‘nc’), the PID (19871), the UID of
the user running it (1000 in my case), and of course the fact it is
LISTENing and on TCP 12345. If you do not see this then nothing else will
work.
Another check you can do is of the host-based (vs. network-based)
firewall, and ‘iptables’ is probably the easiest way to do this, if not
with ‘iptables-save’:
sudo /usr/sbin/iptables -nvL
sudo /usr/sbin/iptables -nvL | grep 12345
sudo /usr/sbin/iptables-save | grep 12345
From this you may get a couple things; if the first command returns very
little, but maybe three (3) blocks each indicating the default policy is
to ACCEPT, then the host-based firewall is wide open (not recommended)
which means it will not interfere with anything. From the second commands
if you get lines that show specific allowances for TCP 12345 then that is
good, meaning your host-based firewall is configured, but it is set to
allow access to TCP 12345. Examples follow:
#wide open firewall:
Chain INPUT (policy ACCEPT 21M packets, 9102M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 23M packets, 9310M bytes)
pkts bytes target prot opt in out source
destination
#Configured firewall lines:
17198 877K LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:12345flags:
0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
109K 128M ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:12345
#or from iptables-save:
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 12345
--tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP "
--log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 12345 -j ACCEPT
If none of this appears on your system, you may have the default firewall
in place which is focused on security first, meaning it will block access
to everything unless you tel it otherwise as any firewall should.
Configure that with ‘/sbin/yast firewall’ to allow access to whatever port
Finally your server side is ready, netcat is listening (or maybe SSH is
directly), and your host-based firewall on that side is setup. At this
point you can test with netcat as a client (not telnet) because netcat is
going to make fewer bad assumptions about your connection, and even has an
option simply to tell you if the TCP connection works or not:
nc -zv server.ip.address.here 12345
If this returns something like this, then you are golden:
Connection to 127.0.0.1 12345 port [tcp/italk] succeeded!
As shown above, you can even do this locally (on the server itself) to
ensure that your netcat listener is working without any host-based or
network-based firewall interference. If so, then any new problems are
firewall issues and you can troubleshoot those without worrying about
applications.
You can also use netcat to send data to the server side by removing the
'‘z’ portion:
nc -v server.ip.address.here 12345
Any lines you type, followed by [Enter], will be sent to the server side,
and you will see them there. Also, because TCP is bidirectional, you can
type on either the server OR client side and have the lines, followed by
[Enter] (a newline), show up on the other side, so this is a cheap/free
way to chat between two systems.
netcat can do a lot more, as it is a very good TCP client, like trasnfer
data of any type (binary data, which telnet cannot do), and that is a
useful trick, e.g. if you want to copy files from here to there, even
non-text files.
[color=blue]
run nc command on serverB to listen a specific port. Client is SSH.[/color]
If your client is SSH, then your service should also be SSH, and I am
surprised you are not just using that on the server side since it is
present by default on SLES and just needs to be turned on.
–
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.