With all of these layers of protection, understanding an access problem can take some detective work. Here are some steps to follow if your users are having trouble accessing a service on your computer:
Make sure the service is installed.
Check to see that the service is active.
Inspect security- related configuration files for the service.
If it is an xinetd service, inspect the /etc/ hosts .allow and /etc/hosts.deny files.
Check the iptables firewall chains with the iptables -L command.
Checking for an installed service is fairly straightforward; as described in Chapter 10 , you check the installation of an RPM package with the rpm -q packagename command.
Remember, it s common to organize services in separate client and server RPM packages. For example, there are separate client and server packages for Telnet, FTP, and SSH.
It s easy to use the scripts in the /etc/rc.d/init.d directory. As discussed in Chapter 13 , every service daemon includes a script in this directory, which you can check with the /etc/rc.d/init.d/ script status command. Alternatively, you could use the service script status command.
If you re wondering about an xinetd service, check the associated configuration file in the /etc/ xinetd.d directory. By default, these services are set with disable = yes , which keeps a service closed.
And don t forget to use a tool such as chkconfig to make sure the service is active the next time you reboot Linux. For example, the following command verifies that httpd is active at runlevels 2, 3, and 5 when Linux starts:
# chkconfig --list 235 httpd on
The syntax for an xinetd service is slightly different, since these services are active at every runlevel where xinetd is active:
# chkconfig swat on
Many services include their own configuration files, which can limit or regulate access. Services such as Apache and Samba can be configured to limit access to different users and computers in their main configuration files. There are also xinetd services such as WU-FTP that have their own security files, such as /etc/ftpaccess . Service-specific security files are described in more detail in the chapters associated with each service.
You ve already learned how access can be limited through /etc/hosts.allow and /etc/hosts.deny . Just remember that similar commands can be used to limit access through the /etc/xinetd.d configuration files.
You can configure a firewall during or after the Red Hat Linux installation process. After installation, you can use the lokkit or redhat-config-securitylevel utilities. Each of these Red Hat Linux “specific tools offer default High and Medium security options, which lead to the same iptables chains.
Of course, you can configure your firewall with your own iptables commands, using the techniques described in Chapter 22 .
The rules associated with both firewalls block access to your computer for most major TCP/IP ports. For example, to allow access to an Apache server on your computer either set the appropriate iptables command, as described in Chapter 22 , or use lokkit or redhat-config-securitylevel to customize the firewall to accept data to the appropriate TCP/IP port. (In this case, the right port is 80; you can look up different TCP/IP ports in /etc/services .)