|
[IPTABLES] FTP doesnt work with ls command
I have a problem with this script it makes a ftp connection but doesnt give a ls
(bit to much ftp rules btw but i tried everything) another problem is that from the server itself i cannot go to the internet ssh work and the emule ports work also also any comment on this script is welcome what i also need to know is it ressistent agains brute force etc etc dont want any supprises if it works good ill make more $variables etc i will upload it to here for others #!/bin/bash echo Load modules modprobe ip_conntrack_ftp modprobe iptable_nat modprobe ip_nat_ftp #--------------------------------------------------------------- # FLUSH ALL #--------------------------------------------------------------- echo Flush firewall rules /sbin/iptables --flush /sbin/iptables -t nat --flush /sbin/iptables -t mangle --flush echo Remove all chains /sbin/iptables --delete-chain /sbin/iptables -t nat --delete-chain /sbin/iptables -t mangle --delete-chain #--------------------------------------------------------------- # DROP ALL (never remove) and dont reject plz #--------------------------------------------------------------- echo Setting DROP ALL /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT DROP /sbin/iptables --policy FORWARD DROP #--------------------------------------------------------------- # Allow local loopback everything needed for X etc... #--------------------------------------------------------------- echo Local loopback accept all in and out /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT #--------------------------------------------------------------- # Allow DNS queries to be made in and out #--------------------------------------------------------------- echo Outgoing DNS port 53 /sbin/iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT echo Incoming DNS port 53 /sbin/iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT #--------------------------------------------------------------- # Dont break the connections already running. #--------------------------------------------------------------- echo Dont break the connections already running. /sbin/iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #--------------------------------------------------------------- # Define local trusted network #--------------------------------------------------------------- echo Allow all from local network /sbin/iptables -A INPUT -j ACCEPT -p all -s 192.168.5.0/24 -i eth1 /sbin/iptables -A OUTPUT -j ACCEPT -p all -d 192.168.5.0/24 -o eth1 #--------------------------------------------------------------- # Allow masquerading # - Interface eth0 is the internet interface # - Interface eth1 is the private network interface #--------------------------------------------------------------- echo Allow routing from local network /sbin/iptables -A POSTROUTING -t nat -o eth0 -s 192.168.5.0/24 -d 0/0 -j MASQUERADE #/sbin/iptables -A POSTROUTING -t nat -o lo -s 127.0.0.0/8 -d 0/0 -j MASQUERADE /sbin/iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #--------------------------------------------------------------- # Incase of DHCP on the WAN side we look for the IP given # If not DHCP still this is valid # also handy for ppp connections # works only on linux not unix etc #--------------------------------------------------------------- echo Locate external ip external_int="eth0" external_ip="`ifconfig $external_int | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`" #--------------------------------------------------------------- # log unsolicited tcp udp and icmp packets #--------------------------------------------------------------- echo log unsolicited tcp udp and icmp packets /sbin/iptables -A INPUT -i $external_ip -p tcp -j LOG -m limit --limit 2/minute --log-prefix 'firewall-tcp ' --log-level info /sbin/iptables -A INPUT -i $external_ip -p udp -j LOG -m limit --limit 2/minute --log-prefix 'firewall-udp ' --log-level info /sbin/iptables -A INPUT -i $external_ip -p icmp -j LOG -m limit --limit 2/minute --log-prefix 'firewall-icmp ' --log-level info #--------------------------------------------------------------- # Drop pings (should be already) #--------------------------------------------------------------- echo Drop pings /sbin/iptables -A INPUT -i $external_ip -p icmp --icmp-type ping -j DROP #--------------------------------------------------------------- # Allowed ports CUSTOM #--------------------------------------------------------------- echo allow HTTP /sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 80 -j ACCEPT /sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $external_ip -p tcp -m multiport --dport 80 echo allow HTTPS /sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 443 -j ACCEPT /sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $external_ip -p tcp -m multiport --dport 443 echo Allow SSH /sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 22 -j ACCEPT echo Allow FTP /sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 21 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 -d $external_ip --dport 21 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 20 -j ACCEPT /sbin/iptables -A INPUT -p udp -i eth0 -d $external_ip --dport 20 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 21 -j ACCEPT /sbin/iptables -A OUTPUT -p udp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 21 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 20 -j ACCEPT /sbin/iptables -A OUTPUT -p udp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 20 -j ACCEPT /sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $external_ip -p tcp -m multiport --dport 20 #--------------------------------------------------------------- # Allowed forwards CUSTOM #--------------------------------------------------------------- echo Forward emule ports to .99 /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 26187 --sport 1024:65535 -j DNAT --to 192.168.5.99:26187 /sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $external_ip --dport 26198 --sport 1024:65535 -j DNAT --to 192.168.5.99:26198 /sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.5.99 --dport 26187 --sport 1024:65535 -m state --state NEW -j ACCEPT /sbin/iptables -A FORWARD -p udp -i eth0 -o eth1 -d 192.168.5.99 --dport 26198 --sport 1024:65535 -m state --state NEW -j ACCEPT echo Forward emule ports to .98 1 point higer then normal ports /sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 26188 --sport 1024:65535 -j DNAT --to 192.168.5.98:26188 /sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $external_ip --dport 26199 --sport 1024:65535 -j DNAT --to 192.168.5.98:26199 /sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.5.98 --dport 26188 --sport 1024:65535 -m state --state NEW -j ACCEPT /sbin/iptables -A FORWARD -p udp -i eth0 -o eth1 -d 192.168.5.98 --dport 26199 --sport 1024:65535 -m state --state NEW -j ACCEPT #--------------------------------------------------------------- # Allow routing #--------------------------------------------------------------- # internet routing /sbin/iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward echo end echo give list route /sbin/iptables -L |
if you are using passive ftpd then port ftp-data is not used. when your server is also configured in passive mode, then there shouldn't be anything special in the firewall itself. just open the ftp port ... and that's it.
hope it helps |
hmmm im using passive ftp but only with port 20 open it doest work.
maybe the MASQ is the problem |
give me an email or icq 29382263 ... i'll give you my firewall.
|
| All times are GMT -5. The time now is 01:25 PM. |