LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   ftp and firewall (https://www.linuxquestions.org/questions/linux-security-4/ftp-and-firewall-394553/)

Ammad 12-19-2005 12:29 PM
ftp and firewall
 
having server of redhat as4 on testing, and running fc4.
my problem ????????
i have a server over internet windows 2003 enterprise,and ftp enabled. i can access it from fc4 or as4, but unable to access it from clients. i am using squid, and iptables, there isn't any blocking in squid and iptables for that.

since its running in active mode (win 2003 ftp server) so clients have problem, but all other servers running in passive mode on lan/internet are accessable.

i used these some rules


iptables -A FORWARD -p tcp -s 172.16.0.0 --sport 1024:65535 -d 0.0.0.0 --dport 21 -m state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -s 0.0.0.0 --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -s 172.16.0.0 --sport 1024:65535 -d 0.0.0.0 --dport 21 -m state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0.0.0.0 --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT


but getting at client
ftp: connect :unknown error number

win32sux 12-19-2005 03:36 PM
you don't need to make rules with all those port ranges, that's how it used to be with ipchains, but netfilter/iptables' connection tracking eliminates the need for those kinda rules... like this example (for the router/firewall):
Code:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p TCP --dport 21 -m state --state NEW -j ACCEPT
BTW, make sure you have the conntrack module for ftp loaded:
Code:
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
as for your INPUT rules, i'm not sure what they are referring to, cuz the router wouldn't need any INPUT rules... if you are referring to the server's local rules, then the same concept from above applies:
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
PS: if the FORWARD rules are intended for incoming traffic (WAN to LAN), then you'd need PREROUTING rules to go with them to handle the DNAT... if they are for outgoing traffic (LAN to WAN), then your MASQUERADE or SNAT rule would be enough...

Ammad 12-20-2005 08:35 AM
i have problem and getting this a bug.(may be)

i am using linux box as firewall+forwarding clients requests to internet. my
problem is that a server of windows ftp2003, and clients are unable to
browse ftp site, while they are able to connect any linux base ftp server on
net. i am also using squid. all of that there isn't any restriction in squid
or iptables.
i can connect from linux box to windows 2003 ftp server.
i flushed all rules, deleted all chains. and default policy to ACCEPT.

and atleast i used this rule but still getting error from client side, when
i check on client
c:\> netstat -a
tcp 172.16.0.22:1044 202.145.23.3:ftp SYN_SENT


and at least connection time out
i am using these two rules only (two)

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 21 -j ACCEPT

win32sux 12-20-2005 03:06 PM
have you tried both active and passive modes??

Ammad 12-20-2005 10:28 PM
1st thing i am unable to connect to that server, so how can i define active or passive mode.

2nd proxy servers use for http, ftp protocols. if this is 100% correct statement they why my clients are unable to connect, even i am using squid, with mimial acl like below


acl home1 src 172.16.0.0

http_access allow home1


third in iptables i am not using nat for ftp protocol b/c of squid. to cache contents and available to other users also. and also allowed above rules.

win32sux 12-20-2005 11:10 PM
i'd love to help you but i can't seem to understand your setup or your exact problem very well... perhaps you could sketch a diagram here using text or maybe explain your problem a little better?? :confused:

sideshowrob 06-09-2006 10:04 PM
I am having very similar issues, and have found tons of posts on here regarding this but no fixes so far. Here is my environment:

IPCop v1.4.10 running Squid Proxy (squid/2.5.STABLE12). Here is a copy of my squid.conf:


#################################
shutdown_lifetime 5 seconds
icp_port 0

http_port 127.0.0.1:800
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

cache_effective_user squid
cache_effective_group squid

pid_filename /var/run/squid.pid

cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log none

log_mime_hdrs off
forwarded_for off

# Uncomment the following line to enable logging of User-Agent header:
#useragent_log /var/log/squid/user_agent.log

# Uncomment the following line to enable logging of Referer header:
#referer_log /var/log/squid/referer.log

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 800 # Squids port (for icons)

acl IPCop_http port 81
acl IPCop_https port 445
acl IPCop_ips dst 10.0.0.2
acl IPCop_networks src 10.0.0.0/255.255.255.0
acl CONNECT method CONNECT

##Access to squid:
#local machine, no restriction
#http_access allow localhost

#GUI admin if local machine connects
#http_access allow IPCop_ips IPCop_networks IPCop_http
#http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https

#Deny not web services
#http_access deny !Safe_ports
#http_access deny CONNECT !SSL_ports

#Finally allow IPCop_networks clients
#http_access allow IPCop_networks
#http_access deny all
# Cop+ acl rules follow, above rules should remain commented out
http_access allow localhost IPCop_http
http_access allow CONNECT localhost IPCop_https
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
maximum_object_size 4096 KB
minimum_object_size 0 KB

cache_mem 2000 KB
cache_dir aufs /var/log/cache 50 16 256

request_body_max_size 0 KB
reply_body_max_size 0 allow all

visible_hostname fake.hostname

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

#############################################

As you can see from the acl allows, port 21/FTP is allowed access. Yet anytime I attempt to hit an ftp site through Squid via a Windows client using both IE 6.0+ or Smart FTP, I get the following error message:

ERROR
The requested URL could not be retrieved

--------------------------------------------------------------------------------

The FTP server was too busy while trying to retrieve the URL: ftp://ftp.conleyservices.com/

Squid sent the following FTP command:

USER anonymous
and then received this reply
Unable to set up secure anonymous FTPYour cache administrator is webmaster.



--------------------------------------------------------------------------------

Generated Sat, 10 Jun 2006 03:18:06 GMT by fake.hostname (squid/2.5.STABLE12)

######################################

Help?! Someone?! Also, if I go to a Linux ftp server that requires a log in other than anonymous, it seems to work (except i don't have a password, so not sure if it really works, but at least i get prompted to put one in).


All times are GMT -5. The time now is 02:14 AM.