LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-14-2003, 10:47 AM   #1
MatrixIII007
LQ Newbie
 
Registered: Oct 2003
Distribution: RedHat , Mandrake
Posts: 1

Rep: Reputation: 0
Question IPtables and Passive FTP


How can I enable Passive FTP in my IPtables script.


This is my iptables.conf
*****************************************
#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua@redhat.com>
# -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/iptables

# Source 'em up
. /etc/init.d/functions

IPTABLES_CONFIG=/etc/sysconfig/iptables

if [ ! -x /sbin/iptables ]; then
exit 0
fi

KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi



if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi

iftable() {
if fgrep -qsx $1 /proc/net/ip_tables_names; then
iptables -t "$@"
fi
}

start() {
# don't do squat if we don't have the config file
if [ -f $IPTABLES_CONFIG ]; then
# If we don't clear these first, we might be adding to
# pre-existing rules.
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
echo -n $"Flushing all current rules and user defined chains:"
let ret=0
for i in $chains; do iptables -t $i -F; let ret+=$?; done
iptables -F
let ret+=$?
if [ $ret -eq 0 ]; then
success
else
failure
fi
echo
echo -n $"Clearing all current rules and user defined chains:"
let ret=0
for i in $chains; do iptables -t $i -X; let ret+=$?; done
iptables -X
let ret+=$?
if [ $ret -eq 0 ]; then
success
else
failure
fi
echo

for i in $chains; do iptables -t $i -Z; done

echo -n $"Applying iptables firewall rules: "
grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -c && \
success || \
failure
echo
touch /var/lock/subsys/iptables
fi
}

stop() {
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
echo -n $"Flushing all chains:"
let ret=0
for i in $chains; do iptables -t $i -F; let ret+=$?; done
iptables -F; let ret+=$?
if [ $ret -eq 0 ]; then
success
else
failure
fi
echo

echo -n $"Removing user defined chains:"
let ret=0
for i in $chains; do iptables -t $i -X; let ret+=$?; done
iptables -X; let ret+=$?
if [ $ret -eq 0 ]; then
success
else
failure
fi
echo
echo -n $"Resetting built-in chains to the default ACCEPT policy:"
iftable filter -P INPUT ACCEPT && \
iftable filter -P OUTPUT ACCEPT && \
iftable filter -P FORWARD ACCEPT && \
iftable nat -P PREROUTING ACCEPT && \
iftable nat -P POSTROUTING ACCEPT && \
iftable nat -P OUTPUT ACCEPT && \
iftable mangle -P PREROUTING ACCEPT && \
iftable mangle -P POSTROUTING ACCEPT && \
iftable mangle -P INPUT ACCEPT && \
iftable mangle -P OUTPUT ACCEPT && \
iftable mangle -P FORWARD ACCEPT && \
success || \
failure
echo
rm -f /var/lock/subsys/iptables
}

case "$1" in
start)
start
;;

stop)
stop
;;

restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;

condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;

status)
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for table in $tables; do
echo $"Table: $table"
iptables -t $table --list
done
;;

panic)
echo -n $"Changing target policies to DROP: "
iftable filter -P INPUT DROP && \
iftable filter -P FORWARD DROP && \
iftable filter -P OUTPUT DROP && \
iftable nat -P PREROUTING DROP && \
iftable nat -P POSTROUTING DROP && \
iftable nat -P OUTPUT DROP && \
iftable mangle -P PREROUTING DROP && \
iftable mangle -P OUTPUT DROP && \
iftable mangle -P POSTROUTING DROP && \
iftable mangle -P INPUT DROP && \
iftable mangle -P FORWARD DROP && \
success || failure
echo
echo -n "Flushing all chains:"
iftable filter -F INPUT && \
iftable filter -F FORWARD && \
iftable filter -F OUTPUT && \
iftable nat -F PREROUTING && \
iftable nat -F POSTROUTING && \
iftable nat -F OUTPUT && \
iftable mangle -F PREROUTING && \
iftable mangle -F OUTPUT && \
success || failure
echo
echo -n "Removing user defined chains:"
iftable iftable filter -X && \
iftable nat -X && \
iftable mangle -X && \
success || failure
echo
;;

save)
echo -n $"Saving current rules to $IPTABLES_CONFIG: "
touch $IPTABLES_CONFIG
chmod 600 $IPTABLES_CONFIG
/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
success $"Saving current rules to $IPTABLES_CONFIG" || \
failure $"Saving current rules to $IPTABLES_CONFIG"
echo
;;

*)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
exit 1
esac

exit 0

**************************************************

Thanks
 
Old 10-14-2003, 10:52 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
This example is set up for ipchains but you only need to focus on the port assignments: http://www.linuxquestions.org/questi...hreadid=102199
 
Old 10-16-2003, 08:10 AM   #3
radix
Member
 
Registered: May 2002
Location: Okinawa, Japan
Distribution: Slackware 9, FreeBSD 5.1, Gentoo 1.4
Posts: 38

Rep: Reputation: 15
how about enabling passive ftp behind a nat? i always get "Cannont create data socket" on list. i have my server set to use data ports 4900-5100 and iptables is set to forward 4900-5100 but still cant get a passive connection.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP server stuck in passive with iptables running. TheRealDeal Linux - Security 5 02-24-2005 04:57 PM
How do I set my FTP server to accept passive FTP? imsam Linux - Newbie 3 12-12-2004 06:22 AM
iptables and passive ftp behind NAT radix Linux - Security 7 10-21-2003 02:06 PM
iptables and passive FTP behind the nat radix Linux - Security 5 09-16-2003 07:14 PM
Passive FTP ryanstrayer Linux - General 2 02-09-2002 01:32 AM


All times are GMT -5. The time now is 11:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration