[IPTABLES] FTP doesnt work with ls command
I have a problem with this script it makes a ftp connection but doesnt give a ls
(bit to much ftp rules btw but i tried everything)
another problem is that from the server itself i cannot go to the internet
ssh work and the emule ports work also
also any comment on this script is welcome
what i also need to know is it ressistent agains brute force etc etc
dont want any supprises
if it works good ill make more $variables etc i will upload it to here for others
#!/bin/bash
echo Load modules
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
#---------------------------------------------------------------
# FLUSH ALL
#---------------------------------------------------------------
echo Flush firewall rules
/sbin/iptables --flush
/sbin/iptables -t nat --flush
/sbin/iptables -t mangle --flush
echo Remove all chains
/sbin/iptables --delete-chain
/sbin/iptables -t nat --delete-chain
/sbin/iptables -t mangle --delete-chain
#---------------------------------------------------------------
# DROP ALL (never remove) and dont reject plz
#---------------------------------------------------------------
echo Setting DROP ALL
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
#---------------------------------------------------------------
# Allow local loopback everything needed for X etc...
#---------------------------------------------------------------
echo Local loopback accept all in and out
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# Allow DNS queries to be made in and out
#---------------------------------------------------------------
echo Outgoing DNS port 53
/sbin/iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
echo Incoming DNS port 53
/sbin/iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Dont break the connections already running.
#---------------------------------------------------------------
echo Dont break the connections already running.
/sbin/iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Define local trusted network
#---------------------------------------------------------------
echo Allow all from local network
/sbin/iptables -A INPUT -j ACCEPT -p all -s 192.168.5.0/24 -i eth1
/sbin/iptables -A OUTPUT -j ACCEPT -p all -d 192.168.5.0/24 -o eth1
#---------------------------------------------------------------
# Allow masquerading
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
echo Allow routing from local network
/sbin/iptables -A POSTROUTING -t nat -o eth0 -s 192.168.5.0/24 -d 0/0 -j MASQUERADE
#/sbin/iptables -A POSTROUTING -t nat -o lo -s 127.0.0.0/8 -d 0/0 -j MASQUERADE
/sbin/iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Incase of DHCP on the WAN side we look for the IP given
# If not DHCP still this is valid
# also handy for ppp connections
# works only on linux not unix etc
#---------------------------------------------------------------
echo Locate external ip
external_int="eth0"
external_ip="`ifconfig $external_int | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
#---------------------------------------------------------------
# log unsolicited tcp udp and icmp packets
#---------------------------------------------------------------
echo log unsolicited tcp udp and icmp packets
/sbin/iptables -A INPUT -i $external_ip -p tcp -j LOG -m limit --limit 2/minute --log-prefix 'firewall-tcp ' --log-level info
/sbin/iptables -A INPUT -i $external_ip -p udp -j LOG -m limit --limit 2/minute --log-prefix 'firewall-udp ' --log-level info
/sbin/iptables -A INPUT -i $external_ip -p icmp -j LOG -m limit --limit 2/minute --log-prefix 'firewall-icmp ' --log-level info
#---------------------------------------------------------------
# Drop pings (should be already)
#---------------------------------------------------------------
echo Drop pings
/sbin/iptables -A INPUT -i $external_ip -p icmp --icmp-type ping -j DROP
#---------------------------------------------------------------
# Allowed ports CUSTOM
#---------------------------------------------------------------
echo allow HTTP
/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $external_ip -p tcp -m multiport --dport 80
echo allow HTTPS
/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 443 -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $external_ip -p tcp -m multiport --dport 443
echo Allow SSH
/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 22 -j ACCEPT
echo Allow FTP
/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 -d $external_ip --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 -d $external_ip --dport 20 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 21 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 21 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 20 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 20 -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $external_ip -p tcp -m multiport --dport 20
#---------------------------------------------------------------
# Allowed forwards CUSTOM
#---------------------------------------------------------------
echo Forward emule ports to .99
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 26187 --sport 1024:65535 -j DNAT --to 192.168.5.99:26187
/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $external_ip --dport 26198 --sport 1024:65535 -j DNAT --to 192.168.5.99:26198
/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.5.99 --dport 26187 --sport 1024:65535 -m state --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth0 -o eth1 -d 192.168.5.99 --dport 26198 --sport 1024:65535 -m state --state NEW -j ACCEPT
echo Forward emule ports to .98 1 point higer then normal ports
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 26188 --sport 1024:65535 -j DNAT --to 192.168.5.98:26188
/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $external_ip --dport 26199 --sport 1024:65535 -j DNAT --to 192.168.5.98:26199
/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.5.98 --dport 26188 --sport 1024:65535 -m state --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth0 -o eth1 -d 192.168.5.98 --dport 26199 --sport 1024:65535 -m state --state NEW -j ACCEPT
#---------------------------------------------------------------
# Allow routing
#---------------------------------------------------------------
# internet routing
/sbin/iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
echo end
echo give list
route
/sbin/iptables -L
Last edited by narmida; 03-07-2005 at 10:30 PM.
|