LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-12-2003, 03:46 AM   #1
cubee
LQ Newbie
 
Registered: Nov 2003
Location: Tarnow, Poland
Distribution: Slackware, Redhat
Posts: 7

Rep: Reputation: 0
Firewall - iptables - ftp connections


Hello,

I wrote a simple firewall script using iptables. I have a simple network
internet (DSL) -- eth0 (EXTERNAL) -- eth1 and eth2 (Internal interface).
I use a Slackware 9.1 (2.4.22-grsec).

I have a problem with output ftp connections using wget. When I try to use
wget to download files from ftp I got a timed out. With other program (ncftpget) I have no this problem, only with WGET. Wget with http connections works properly.
In my opinion there is a bug in firewall script, but I'm a still learning iptables rules.

Please help me, where is a bug in firewall, and what should I add/change to make my network more securing. Thank you a lot.

Best regards,
cubee

This is my script:

#!/bin/sh

EXT=80.80.80.80
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_conntrack_ftp

iptables -F
iptables -F -t nat
iptables -F -t filter
iptables -X -t filter
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT

iptables -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state RELATED
iptables -A OUTPUT -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A OUTPUT -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A OUTPUT -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A OUTPUT -p tcp -j ACCEPT -m state --state RELATED
iptables -A OUTPUT -p icmp -j ACCEPT -m state --state RELATED

iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 20 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 21 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 22 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 25 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 80 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 110 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 143 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 443 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 53 --syn -j ACCEPT
iptables -I INPUT -p udp -s 0/0 -d $EXT --destination-port 53 -j ACCEPT

#LAN
TCP_OUT_ALLOW=20,21,22,25,53,80,110,119,443,1110,1550,6346,8074,8080
UDP_OUT_ALLOW=20,21,22,25,53,110,119,123,1110,6346
iptables -A OUTPUT -o eth0 -p tcp -j ACCEPT -m state --state NEW -m multiport --destination-port $TCP_OUT_ALLOW
iptables -A OUTPUT -o eth0 -p udp -j ACCEPT -m state --state NEW -m multiport --destination-port $UDP_OUT_ALLOW
iptables -A FORWARD -o eth0 -p tcp -j ACCEPT -m state --state NEW -m multiport --destination-port $TCP_OUT_ALLOW
iptables -A FORWARD -o eth0 -p udp -j ACCEPT -m state --state NEW -m multiport --destination-port $UDP_OUT_ALLOW

#MASQ
iptables -t filter -A FORWARD -s 10.11.0.0/255.255.255.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 10.11.0.0/255.255.255.0 -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.1.0/255.255.255.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.1.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -d 0/0 -j MASQUERADE


#DHCP
iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i eth2 -p udp --sport 68 --dport 67 -j ACCEPT
 
Old 11-12-2003, 04:50 PM   #2
gomix100
LQ Newbie
 
Registered: Nov 2003
Location: Caracas
Distribution: Red Hat
Posts: 13

Rep: Reputation: 0
Hi

No comments about your script (yet), my comment is about the symptom: wget does not work with ftp URLs but other ftp client does...

For me it looks like one is using passive ftp and the other active ftp method to connect to the remote ftp server.

It also depends on the remote ftp server, someones does not support passive mode.

Please check this first out. What method is ncftp using? What method is using wget?

Also checkout ip_nat_ftp.o module, i think u need it because of the masquerade.

Hope this helps
Guillermo
 
Old 11-13-2003, 12:46 AM   #3
cubee
LQ Newbie
 
Registered: Nov 2003
Location: Tarnow, Poland
Distribution: Slackware, Redhat
Posts: 7

Original Poster
Rep: Reputation: 0
Hi.

Thank you for answer. Situation which describe I tested from server, I did not test from local computers.
I added module ip_nat_ftp, to my script, but I have the still problems with ftp connection.

In my opinion I blocked something on firewall, but I dont know what is this.

Anyway, thank you for answer

Best regards.
/cubEE
 
Old 11-13-2003, 05:50 AM   #4
gomix100
LQ Newbie
 
Registered: Nov 2003
Location: Caracas
Distribution: Red Hat
Posts: 13

Rep: Reputation: 0
Hello

Yes, you might have something blocking in your firewall setup but i just try discovering what.

I f u use lftp (have it?) you can switch from passive mode to active mode just typing:

set ftpassive-mode off

In regular ftp client just try pass to toggle the passive mode on/off..

Must of the documentation i read says that machines behind the firewall should use passive mode for ftp connections but that's where ftp_nat module comes in so in fact u should be able to do both with the right kernel modules.

My firsts comments about your script:

Line : iptables -F
Line: iptables -t filter -F

These are redundants. filter tables is the default table.

Guillermo

One comment , i can't see your policy definition for nat table chains so i assume is just ACCEPT.
 
Old 11-14-2003, 06:49 AM   #5
cubee
LQ Newbie
 
Registered: Nov 2003
Location: Tarnow, Poland
Distribution: Slackware, Redhat
Posts: 7

Original Poster
Rep: Reputation: 0
Hello,

I am sure, problem is with my rules in firewall script, so I am must improve it. Thank you a lot for ansewers and attention.

Best regards.

cubEE

ps.
I use a lftp
 
Old 11-14-2003, 04:13 PM   #6
gomix100
LQ Newbie
 
Registered: Nov 2003
Location: Caracas
Distribution: Red Hat
Posts: 13

Rep: Reputation: 0
Hi

Normally if i have a problem with my firewall scripts, i do first a trace of the connection i'm trying to achieve. After that it will become easier to debug your script (and modules) of your firewall.

What i use is iptraf. I log to a file and then analyze what went wrong.

I suggest u to do the same first no matter where the ftp connection is coming from.
U can ulse tcpdump.

regards

Guillermo
 
Old 11-16-2003, 03:58 PM   #7
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
Hey, not being critical here, I just thought I could offer a few tips for helping to make your script more readable.

Firstly, shorten up some of the commands...
ipt=/sbin/iptables
ext=eth0
int=eth1
then use $ipt to kick off your rules and $int or $ext to reference your cards

Try using some other scripting techniques to help 'clean it up'. For instance, if you want to accept a whole list of ports, try this.

# Allow these ports (hypothetical ports... don't just copy this list)
goodports="20 21 22 28 45 145 888 2005 25224"
for p in $goodports
do
$ipt -A INPUT -i $ext -p tcp --dport $p -j ACCEPT
done

In this way, you can add or remove ports without mussing with lines of code and it's much easier on the eyes and brain to read.

Uhm... what else? Set your policies and flush, delete and zero the counters all in one swoop.
# Set policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done

And my biggest thing is structure... call me anal, but I think that structure really helps a reader formulate what the firewall is supposed to look like in the end.

Generally, I do this:

#setup variables
#set polices, flush/delete/zero tables
#setup utility tables (examples...)
#1. BAD_IP (drop bad IP's
#1. SPOOF_CHECK (Check for bad IP's)
#setup user tables... at a minimum, usually I don't bother with the OUTPUT table.
#1. IN_NETWORK (all traffic forwarded into the network)
#2. OUT_NETWORK (all traffic forwarded out of the network)
#3. IN_FIREWALL (all traffic into THIS machine)
#setup main rules
#accept all LO traffic...
#Pass all inbound connections to IN_FIREWALL
#Pass forwarded connections to either OUT_NETWORK or IN_NETWORK depending on the direction.
#Turn on Masquerading if required.

I hope this helps in your search for learning about firewalls.

Now, I'll read through your script to see if I can see the problem... wish me luck.
 
Old 11-16-2003, 05:26 PM   #8
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
I spent some time re-writing your firewall (mostly as an exercise for me 'cause it's been a while since I looked at mine) and I *was* going to post it but a power outage 5 minutes ago decided that it was a bad idea for me to keep that information. *grrr*

Until I find some more tme to do it over, you'll have to wait. Until then, you should seriously take a look at this section.
Quote:
#MASQ
iptables -t filter -A FORWARD -s 10.11.0.0/255.255.255.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 10.11.0.0/255.255.255.0 -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.1.0/255.255.255.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.1.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -d 0/0 -j MASQUERADE
Why this section? Well... you don't have any tables that handle spoofed IP addresses and you allow your computer to forward ALL traffic from 10.11.0.0 to go anywhere! *eek* Remember that in iptables, forwarded traffic DOES NOT get processed by the INPUT table. So, I could spoof my 10.11.0.0 address and then use your firewall to forward all my traffic. *eek* It also allows ALLLL traffic to be forwarded from the internet directly to those internal machines! That should never be the case.
 
Old 11-16-2003, 07:16 PM   #9
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
#!/bin/sh
#
# Firewall script for cubee v0.1
# nov.16.2003 - jordan_harkness @ hotmail.com
#
# By design...
# . We drop all INPUT and FORWARD packets by default to deter DOS attacks
# . We allow all OUTPUT packets because there is usually no reason to stop them
# . We allow all loopback connections
# . We allow all internal connections to this host
# . We allow only new external connections to this host on the specified tcp/udp ports
# . We allow only related and established external connections to this host
# . We allow all external ICMP connections to this host
# . We allow all internal connections to external hosts
# . We allow only established and related external connections to internal hosts
# . We deny all external spoofed connections
# . We deny all external invalid connections
# . We do logging... comment it out if it's too much.

echo "1" > /proc/sys/net/ipv4/ip_forward

##########################
# !!! WARNING !!! #
# Be Precise or reboot #
##########################
ext1=eth2 # External NIC #
int1=eth0 # Internal NIC #
int2=eth1 # Internal NIC #
##########################

# Constants
ipt="/sbin/iptables"
logops="--log-level=3 -m limit --limit 1/second --limit-burst 10"
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
192.168.0.0/16 255.255.255.255"
# Ports open on the firewall. These are only for NEW connections
ok_ext_tcp_ports="21 22 25 53 80 110 143 443"
ok_ext_udp_ports="53"

# Set policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done

# Log bad IP
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
# Spoofed IP chain
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done

# Packets into network
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -s 0/0 -d 0/0 -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -j LOG --log-prefix "IPT: IN_NETWORK: " $logops
$ipt -A IN_NETWORK -j DROP

# Packets out of network
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK -i $int1 -j ACCEPT
$ipt -A OUT_NETWORK -i $int2 -j ACCEPT
$ipt -A OUT_NETWORK -j LOG --log-prefix "IPT: OUT_NETWORK: " $logops
$ipt -A OUT_NETWORK -j DROP

# Packets entering firewall
$ipt -N IN_FIREWALL
$ipt -A IN_FIREWALL -s 0/0 -d 0/0 -m state --state INVALID -j DROP
$ipt -A IN_FIREWALL -j SPOOF
$ipt -A IN_FIREWALL -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_FIREWALL -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_FIREWALL -p icmp -j ACCEPT
# Allow new connections to these TCP ports
for port_ok in $ok_ext_tcp_ports
do
$ipt -A IN_FIREWALL -p tcp -m state --state NEW -j ACCEPT
done
# Allow new connections to these UDP ports
for port_ok in $ok_ext_udp_ports
do
$ipt -A IN_FIREWALL -p udp -m state --state NEW -j ACCEPT
done

# Main Rules
$ipt -A INPUT -i lo -j ACCEPT # Allow all connections via loopback
$ipt -A INPUT -i $int1 -j ACCEPT
$ipt -A INPUT -i $int2 -j ACCEPT
$ipt -A INPUT -i $ext1 -j IN_FIREWALL

$ipt -A FORWARD -i $ext1 -j IN_NETWORK
$ipt -A FORWARD -i $int1 -j OUT_NETWORK
$ipt -A FORWARD -i $int2 -j OUT_NETWORK

# Turn on Masquerading
$ipt -t nat -A POSTROUTING -o $ext1 -j MASQUERADE
 
Old 12-03-2003, 10:13 PM   #10
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
I am having this problem as well and I think that its because the FTP server tries to change the port when doing different transfers... watching my ftp i can connect but not do anything after that... any ideas why
 
Old 12-04-2003, 09:48 AM   #11
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
You are both likely experiencing problems with active mode (standard mode) ftp. Keep in mind that when using active mode transfers the SERVER initiates the data connection while you only initiate the command connection.

Try switching to passive mode.
 
Old 12-08-2003, 09:38 PM   #12
FrozenPenquin
LQ Newbie
 
Registered: Dec 2003
Distribution: Happy SuSe Pro User !!
Posts: 23

Rep: Reputation: 15
Ok im brand new to Linux and just installed SuSe pro v9, can someone direct on where or how to get a firewall up & running ? thanks
Fp
 
Old 12-08-2003, 09:46 PM   #13
JordanH
Member
 
Registered: Oct 2003
Location: Toronto, Canada
Distribution: Ubuntu, FC3, RHEL 3-4 AS Retired: SuSE 9.1 Pro, RedHat 6-9, FC1-2
Posts: 360

Rep: Reputation: 30
You should post your question as a new thread rather than appending it at the bottom of someone else's request. It will increase your chances of receiving a reply.

There are tonnes and tonnes of resources available on this subject. Try these links to help you get started with your search...
http://www.google.com
http://www.linuxdoc.org
http://www.linuxquestions.org/questions/search.php

Judging by your nondescript, generic question, I suspect you are not doing this for business and are a typical home user. Try this link.
http://www.linuxquestions.org/questi...hreadid=121379
 
Old 12-08-2003, 09:57 PM   #14
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
look into:
IPTABLES

if u have a specific problem/question re-post

there are HEAPS of posts on iptables
 
Old 12-08-2003, 10:07 PM   #15
FrozenPenquin
LQ Newbie
 
Registered: Dec 2003
Distribution: Happy SuSe Pro User !!
Posts: 23

Rep: Reputation: 15
thank you Jordan,chris, but I did'nt want to start another thread so I apologize for that, next time I know.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP & iptables firewall hct224 Linux - Newbie 9 05-04-2012 01:43 PM
iptables masquerading & active ftp connections PowerMatt Linux - Networking 2 10-20-2005 05:02 PM
my new iptables firewall, everything works except for FTP kawdk Linux - Networking 2 08-01-2004 04:47 AM
iptables, nmap and active ftp connections Bug Linux - Security 3 06-14-2004 01:14 PM
Firewall - Firestarter Iptables ftp jupp Linux - Networking 0 03-18-2002 04:01 PM


All times are GMT -5. The time now is 02:09 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration