LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Iptables with Proxy (https://www.linuxquestions.org/questions/linux-networking-3/iptables-with-proxy-860691/)

felix001 02-04-2011 08:26 AM
Iptables with Proxy
 
Im trying to set up IPTables on a FTP Proxy.
The FTP Proxy port is 2100.

So far Ive used the following config.
Code:
IPTABLES=/sbin/iptables

$IPTABLES --flush

$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP                                                            -j LOG --log-level 6
$IPTABLES -A LOGDROP                                                            -j DROP

$IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED                  -j ACCEPT
$IPTABLES -A INPUT  -m state --state NEW -m tcp -p tcp -s [Client IP] --dport 2100 -j ACCEPT
$IPTABLES -A INPUT  -i lo                                                -j ACCEPT
$IPTABLES -A INPUT                                                        -j LOGDROP

$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED                -j ACCEPT
$IPTABLES -A OUTPUT -m tcp -p tcp    -d [FTP Server]    --dport 21      -j ACCEPT
$IPTABLES -A OUTPUT -o lo                                                -j ACCEPT
$IPTABLES -A OUTPUT                                                      -j LOGDROP

$IPTABLES --policy INPUT DROP
$IPTABLES --policy OUTPUT DROP
Ive added the following modules

Code:
  modprobe ip_conntrack
  modprobe ip_conntrack_ftp
  modprobe ip_conntrack_ftp ports=2100,21
Looking at the logs it appears that the data channel is being blocked on the way out of the outbound interface. From this it appears that the port 21 isnt being picked up from the ftp port mod probe.

Anyone any ideas ??

furface 02-04-2011 11:29 AM
It seems to me that the following should be INPUT and not OUTPUT since your output to the true ftp server is controlled by your proxy server.

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

felix001 02-05-2011 04:23 AM
I think that INPUT line you mention is fine.

The FTP connection into the proxy is working, its the ftp connection out from the proxy that iptables isnt reconising.
iptables allows the port 21 connection out but then denies the data channel when it tries to connect to the ftp server.
This is what I expected the "modprobe ip_conntrack_ftp ports=2100,21" address. From this it appears it is only doing ftp tracking for 1 port....


All times are GMT -5. The time now is 06:46 AM.