I have a problem with this script it makes a ftp connection but doesnt give a ls
(bit to much ftp rules btw but i tried everything)
another problem is that from the server itself i cannot go to the internet
ssh work and the emule ports work also

also any comment on this script is welcome

what i also need to know is it ressistent agains brute force etc etc
dont want any supprises

if it works good ill make more $variables etc i will upload it to here for others




#!/bin/bash

echo Load modules
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp

#---------------------------------------------------------------
# FLUSH ALL
#---------------------------------------------------------------
echo Flush firewall rules
/sbin/iptables --flush
/sbin/iptables -t nat --flush
/sbin/iptables -t mangle --flush
echo Remove all chains
/sbin/iptables --delete-chain
/sbin/iptables -t nat --delete-chain
/sbin/iptables -t mangle --delete-chain
#---------------------------------------------------------------
# DROP ALL (never remove) and dont reject plz
#---------------------------------------------------------------
echo Setting DROP ALL
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
#---------------------------------------------------------------
# Allow local loopback everything needed for X etc...
#---------------------------------------------------------------
echo Local loopback accept all in and out
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# Allow DNS queries to be made in and out
#---------------------------------------------------------------
echo Outgoing DNS port 53
/sbin/iptables -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
echo Incoming DNS port 53
/sbin/iptables -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Dont break the connections already running.
#---------------------------------------------------------------
echo Dont break the connections already running.
/sbin/iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Define local trusted network
#---------------------------------------------------------------
echo Allow all from local network
/sbin/iptables -A INPUT -j ACCEPT -p all -s 192.168.5.0/24 -i eth1
/sbin/iptables -A OUTPUT -j ACCEPT -p all -d 192.168.5.0/24 -o eth1
#---------------------------------------------------------------
# Allow masquerading
# - Interface eth0 is the internet interface
# - Interface eth1 is the private network interface
#---------------------------------------------------------------
echo Allow routing from local network
/sbin/iptables -A POSTROUTING -t nat -o eth0 -s 192.168.5.0/24 -d 0/0 -j MASQUERADE
#/sbin/iptables -A POSTROUTING -t nat -o lo -s 127.0.0.0/8 -d 0/0 -j MASQUERADE
/sbin/iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Incase of DHCP on the WAN side we look for the IP given
# If not DHCP still this is valid
# also handy for ppp connections
# works only on linux not unix etc
#---------------------------------------------------------------
echo Locate external ip
external_int="eth0"
external_ip="`ifconfig $external_int | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
#---------------------------------------------------------------
# log unsolicited tcp udp and icmp packets
#---------------------------------------------------------------
echo log unsolicited tcp udp and icmp packets
/sbin/iptables -A INPUT -i $external_ip -p tcp -j LOG -m limit --limit 2/minute --log-prefix 'firewall-tcp ' --log-level info
/sbin/iptables -A INPUT -i $external_ip -p udp -j LOG -m limit --limit 2/minute --log-prefix 'firewall-udp ' --log-level info
/sbin/iptables -A INPUT -i $external_ip -p icmp -j LOG -m limit --limit 2/minute --log-prefix 'firewall-icmp ' --log-level info
#---------------------------------------------------------------
# Drop pings (should be already)
#---------------------------------------------------------------
echo Drop pings
/sbin/iptables -A INPUT -i $external_ip -p icmp --icmp-type ping -j DROP
#---------------------------------------------------------------
# Allowed ports CUSTOM
#---------------------------------------------------------------

echo allow HTTP
/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $external_ip -p tcp -m multiport --dport 80

echo allow HTTPS

/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 443 -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $external_ip -p tcp -m multiport --dport 443

echo Allow SSH
/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 22 -j ACCEPT

echo Allow FTP
/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 -d $external_ip --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth0 -d $external_ip --dport 20 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth0 -d $external_ip --dport 20 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 21 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 21 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 20 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -d $external_ip -m state --state ESTABLISHED -m multiport --dport 20 -j ACCEPT
/sbin/iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $external_ip -p tcp -m multiport --dport 20


#---------------------------------------------------------------
# Allowed forwards CUSTOM
#---------------------------------------------------------------
echo Forward emule ports to .99
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 26187 --sport 1024:65535 -j DNAT --to 192.168.5.99:26187
/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $external_ip --dport 26198 --sport 1024:65535 -j DNAT --to 192.168.5.99:26198
/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.5.99 --dport 26187 --sport 1024:65535 -m state --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth0 -o eth1 -d 192.168.5.99 --dport 26198 --sport 1024:65535 -m state --state NEW -j ACCEPT

echo Forward emule ports to .98 1 point higer then normal ports
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 26188 --sport 1024:65535 -j DNAT --to 192.168.5.98:26188
/sbin/iptables -t nat -A PREROUTING -p udp -i eth0 -d $external_ip --dport 26199 --sport 1024:65535 -j DNAT --to 192.168.5.98:26199
/sbin/iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.5.98 --dport 26188 --sport 1024:65535 -m state --state NEW -j ACCEPT
/sbin/iptables -A FORWARD -p udp -i eth0 -o eth1 -d 192.168.5.98 --dport 26199 --sport 1024:65535 -m state --state NEW -j ACCEPT

#---------------------------------------------------------------
# Allow routing
#---------------------------------------------------------------
# internet routing
/sbin/iptables -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

echo end
echo give list
route
/sbin/iptables -L

if you are using passive ftpd then port ftp-data is not used. when your server is also configured in passive mode, then there shouldn't be anything special in the firewall itself. just open the ftp port ... and that's it.

hope it helps

hmmm im using passive ftp but only with port 20 open it doest work.
maybe the MASQ is the problem

give me an email or icq 29382263 ... i'll give you my firewall.