LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   ssh and ftp server not accessible (http://www.linuxquestions.org/questions/linux-networking-3/ssh-and-ftp-server-not-accessible-15380/)

bbenz3 03-01-2002 08:33 PM

ssh and ftp server not accessible
 
I am having a really hard time figuring out what I am doing wrong.
My script is really large so here is part of it:

# internet
INET_IFACE1="eth1"
INET_IP1=`ifconfig $INET_IFACE1 | grep "inet addr:" | \awk -F: {'print $2'} | cut -d\ -f 1`
#echo "eth1 IP is $INET_IP1"
INET_IFACE2="eth2"
INET_IP2=`ifconfig $INET_IFACE2 | grep "inet addr:" | \awk -F: {'print $2'} | cut -d\ -f 1`
#echo "eth2 ip is $INET_IP2"
# internal
LAN_IP="192.168.168.1"
LAN_IFACE="eth0"
LAN_SUB="192.168.168/24"
# MASQ for eth1 to outside
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $INET_IP1
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -p igmp -j DROP
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 8080 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 8
#echo "Priority delay set for DNS"
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
# drop nasty flags:
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "BAD FLAG !! L1"
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix "BAD FLAG !! L2"
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "BAD FLAG !! L3"
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "BAD FLAG !! L4"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "BAD FLAG !! L5"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN flood stuff
iptables -N syn-flood
iptables -A INPUT -i eth1 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG --log-level info --log-prefix "SYN Flood stopped"
iptables -A syn-flood -j DROP
# Drop Private
#iptables -A INPUT -i eth1 -p tcp --sport 1:1024 --dport 1:1024 -j LOG --log-level info --log-prefix "PRIVATE PORT L1"
#iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1:1024 -j LOG --log-level info --log-prefix "PRIVATE PORT L2"
#iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 6000 -j LOG --log-level info --log-prefix "PRIVATE X PORT"
#iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1:1024 -j DROP
#iptables -A INPUT -i eth1 -p tcp --sport 1:1024 --dport 1:1024 -j DROP
#iptables -A INPUT -i eth1 -p tcp --sport 1:1024 --dport 6000 -j DROP
#iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 6000 -j DROP
# SYN dropped
iptables -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix "SYN DROPPED"
iptables -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j DROP
# spoofing protection
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix "FAKE CLASS C"
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE CLASS A"
iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i eth1 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FAKE CLASS B"
iptables -t nat -A PREROUTING -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix "FAKE CLASS C"
iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE CLASS A"
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FAKE CLASS B"
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth1 -s 255.255.255.255 -j LOG --log-level info --log-prefix "FAKE CLASS E"
iptables -A INPUT -i eth1 -s 255.255.255.255 -j DROP
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE LOCAL 127"
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth1 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth1 -s 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth1 -f -j LOG --log-level info --log-prefix "PACKET FRAGMENTED"
iptables -A INPUT -i eth1 -f -j DROP
# The weakest link
iptables -I INPUT -i eth1 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Active FTP
iptables -I INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS1 --sport 53 -d $INET_IP1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS2 --sport 53 -d $INET_IP1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP1 --dport 1023:65535 -j ACCEPT
#iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 192.168.168.10 --dport 1023:65535 -j ACCEPT
# ICMP
iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type address-mask-reply -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type required-option-missing -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type ip-header-bad -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type source-route-failed -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT
# Deny ICMP types inbound
iptables -A INPUT -i eth1 -p icmp --icmp-type destination-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type network-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type protocol-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type port-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type fragmentation-needed -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-unknown -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type network-prohibited -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-prohibited -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-network-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type communication-prohibited -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-precedence-violation -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type precedence-cutoff -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type source-quench -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type network-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-network-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-host-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level info --log-prefix "PING REQUEST"
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type ttl-zero-during-transit -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type timestamp-reply -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type address-mask-request -j DROP
# full access to eth0 nic
iptables -A INPUT -p ALL -i eth0 -s $LAN_SUB -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_SUB -j ACCEPT
iptables -A FORWARD -i eth0 -d 0/0 -p all -j ACCEPT
# routing IPs from int to ext
iptables -t nat -I POSTROUTING -p all -d 0/0 -s 192.168.168.10 -j SNAT --to-source $INET_IP1
iptables -t nat -I POSTROUTING -p all -d 0/0 -s 192.168.168.11 -j SNAT --to-source $INET_IP1
iptables -t nat -I POSTROUTING -p all -d 0/0 -s 192.168.168.20 -j SNAT --to-source $INET_IP2
iptables -t nat -A POSTROUTING -p all -d 0/0 -s 0/0 -j SNAT --to-source $INET_IP2

The first part is for eth1 and I have an exact copy written for eth2. I can use ftp sites on the external world but not the one on my computer. I can't use ssh to log into the router box from the int lan either. I know it has someting to do with this script but don't know what exactly it is.

bbenz3 03-04-2002 06:53 PM

I want to be able to use ssh only from the int lan. I want to be able to use an ftp server from a computer on the int lan on a different port than 21 for security reasons. If anyone has any suggestions please help.
Thanks in advance.


All times are GMT -5. The time now is 03:26 AM.