LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-01-2002, 08:33 PM   #1
bbenz3
Member
 
Registered: Feb 2002
Location: Orlando
Distribution: Whatever I feel like at the time I install.
Posts: 284

Rep: Reputation: 30
ssh and ftp server not accessible


I am having a really hard time figuring out what I am doing wrong.
My script is really large so here is part of it:

# internet
INET_IFACE1="eth1"
INET_IP1=`ifconfig $INET_IFACE1 | grep "inet addr:" | \awk -F: {'print $2'} | cut -d\ -f 1`
#echo "eth1 IP is $INET_IP1"
INET_IFACE2="eth2"
INET_IP2=`ifconfig $INET_IFACE2 | grep "inet addr:" | \awk -F: {'print $2'} | cut -d\ -f 1`
#echo "eth2 ip is $INET_IP2"
# internal
LAN_IP="192.168.168.1"
LAN_IFACE="eth0"
LAN_SUB="192.168.168/24"
# MASQ for eth1 to outside
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $INET_IP1
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -p igmp -j DROP
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 8080 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 8
#echo "Priority delay set for DNS"
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
# drop nasty flags:
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "BAD FLAG !! L1"
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix "BAD FLAG !! L2"
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "BAD FLAG !! L3"
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "BAD FLAG !! L4"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "BAD FLAG !! L5"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN flood stuff
iptables -N syn-flood
iptables -A INPUT -i eth1 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG --log-level info --log-prefix "SYN Flood stopped"
iptables -A syn-flood -j DROP
# Drop Private
#iptables -A INPUT -i eth1 -p tcp --sport 1:1024 --dport 1:1024 -j LOG --log-level info --log-prefix "PRIVATE PORT L1"
#iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1:1024 -j LOG --log-level info --log-prefix "PRIVATE PORT L2"
#iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 6000 -j LOG --log-level info --log-prefix "PRIVATE X PORT"
#iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1:1024 -j DROP
#iptables -A INPUT -i eth1 -p tcp --sport 1:1024 --dport 1:1024 -j DROP
#iptables -A INPUT -i eth1 -p tcp --sport 1:1024 --dport 6000 -j DROP
#iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 6000 -j DROP
# SYN dropped
iptables -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix "SYN DROPPED"
iptables -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j DROP
# spoofing protection
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix "FAKE CLASS C"
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE CLASS A"
iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i eth1 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FAKE CLASS B"
iptables -t nat -A PREROUTING -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix "FAKE CLASS C"
iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE CLASS A"
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FAKE CLASS B"
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth1 -s 255.255.255.255 -j LOG --log-level info --log-prefix "FAKE CLASS E"
iptables -A INPUT -i eth1 -s 255.255.255.255 -j DROP
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE LOCAL 127"
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth1 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth1 -s 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth1 -f -j LOG --log-level info --log-prefix "PACKET FRAGMENTED"
iptables -A INPUT -i eth1 -f -j DROP
# The weakest link
iptables -I INPUT -i eth1 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Active FTP
iptables -I INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS1 --sport 53 -d $INET_IP1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS2 --sport 53 -d $INET_IP1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP1 --dport 1023:65535 -j ACCEPT
#iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 192.168.168.10 --dport 1023:65535 -j ACCEPT
# ICMP
iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type address-mask-reply -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type required-option-missing -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type ip-header-bad -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type source-route-failed -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT
# Deny ICMP types inbound
iptables -A INPUT -i eth1 -p icmp --icmp-type destination-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type network-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type protocol-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type port-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type fragmentation-needed -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-unknown -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type network-prohibited -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-prohibited -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-network-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type communication-prohibited -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-precedence-violation -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type precedence-cutoff -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type source-quench -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type network-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-network-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-host-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level info --log-prefix "PING REQUEST"
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type ttl-zero-during-transit -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type timestamp-reply -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type address-mask-request -j DROP
# full access to eth0 nic
iptables -A INPUT -p ALL -i eth0 -s $LAN_SUB -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_SUB -j ACCEPT
iptables -A FORWARD -i eth0 -d 0/0 -p all -j ACCEPT
# routing IPs from int to ext
iptables -t nat -I POSTROUTING -p all -d 0/0 -s 192.168.168.10 -j SNAT --to-source $INET_IP1
iptables -t nat -I POSTROUTING -p all -d 0/0 -s 192.168.168.11 -j SNAT --to-source $INET_IP1
iptables -t nat -I POSTROUTING -p all -d 0/0 -s 192.168.168.20 -j SNAT --to-source $INET_IP2
iptables -t nat -A POSTROUTING -p all -d 0/0 -s 0/0 -j SNAT --to-source $INET_IP2

The first part is for eth1 and I have an exact copy written for eth2. I can use ftp sites on the external world but not the one on my computer. I can't use ssh to log into the router box from the int lan either. I know it has someting to do with this script but don't know what exactly it is.
 
Old 03-04-2002, 06:53 PM   #2
bbenz3
Member
 
Registered: Feb 2002
Location: Orlando
Distribution: Whatever I feel like at the time I install.
Posts: 284

Original Poster
Rep: Reputation: 30
I want to be able to use ssh only from the int lan. I want to be able to use an ftp server from a computer on the int lan on a different port than 21 for security reasons. If anyone has any suggestions please help.
Thanks in advance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP and SSH server ports IBall Linux - Networking 1 12-01-2005 04:29 AM
open ssh ftp server configuration? linuxmandrake Linux - Software 10 06-22-2005 07:23 PM
Web Server not accessible (TPM) Croaker Linux - Software 1 01-14-2005 09:06 PM
Unable to access my ssh server and ftp server from the Internet, but smtp works foxone Linux - Networking 1 05-28-2004 05:17 PM
Need help making FTP daemon accessible through firewall Electrode Linux - Networking 1 08-12-2003 05:35 PM


All times are GMT -5. The time now is 07:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration