LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-18-2003, 06:31 AM   #1
radix
Member
 
Registered: May 2002
Location: Okinawa, Japan
Distribution: Slackware 9, FreeBSD 5.1, Gentoo 1.4
Posts: 38

Rep: Reputation: 15
iptables and passive ftp behind NAT


Ok, im posting this again because ive changed ports for my ftp and am using ssl now. slack 9 2.4.22 w/ iptables 1.2.8. I use RaidenFTPD on a winXP home SP1. if someone connects to me with passive enabled it dies at LIST -al. heres the script, iptables -nvL, and lsmod.

#

# set a few variables
make BINDIR=/usr/local/bin LIBDIR=/usr/local/lib MANDIR=/usr/local/manecho ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
echo " setting global variables"
echo ""
iptables="/usr/local/sbin/iptables"

# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

# load some modules

/sbin/depmod -a

if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp port=444; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then modprobe ip_tables; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack.o ]; then modprobe ip_conntrack; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.o ]; then modprobe iptable_filter; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_mangle.o ]; then modprobe iptable_mangle; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_nat.o ]; then modprobe iptable_nat; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_LOG.o ]; then modprobe ipt_LOG; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_limit.o ]; then modprobe ipt_limit; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_state.o ]; then modprobe ipt_state; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_mac.o ]; then modprobe ipt_mac; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_owner.o ]; then modprobe ipt_owner; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REJECT.o ]; then modprobe ipt_REJECT; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o ]; then modprobe ipt_MASQUERADE; fi

# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

# setup nat
echo " applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 220.57.120.22

# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocking reserved private networks incoming from the internet
echo " applying incoming internet blocking of reserved private networks"
echo ""
$iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP

# blocked hosts
echo " dropping all packets from blocked hosts"
echo ""
$iptables -I INPUT -s 192.168.0.1 -j DROP
$iptables -I FORWARD -s 192.168.0.1 -j DROP

# icmp
echo " applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP

# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
# open ports to the firewall
echo " applying the open port(s) to the firewall rules"
echo ""

$iptables -A INPUT -p tcp --dport 20 -j ACCEPT
$iptables -A INPUT -p tcp --dport 21 -j ACCEPT
$iptables -A INPUT -p tcp --dport 444 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4900:5100 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4661 -j ACCEPT
$iptables -A INPUT -p udp --dport 4665 -j ACCEPT

# open and forward ports to the internal machine(s)
echo " applying port forwarding rules"
echo ""

$iptables -A FORWARD -i eth0 -p tcp --dport 444 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 444 -j DNAT --to-destination 10.0.0.2:444
$iptables -A FORWARD -i eth0 -p tcp --dport 20 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 20 -j DNAT --to-destination 10.0.0.2:20
$iptables -A FORWARD -i eth0 -p tcp --dport 4662 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4662 -j DNAT --to-destination 10.0.0.2:4662
$iptables -A FORWARD -i eth0 -p tcp --dport 4661 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4661 -j DNAT --to-destination 10.0.0.2:4661
$iptables -A FORWARD -i eth0 -p udp --dport 4665 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p udp -d 220.57.120.22 --dport 4665 -j DNAT --to-destination 10.0.0.2:4665
$iptables -A FORWARD -i eth0 -p tcp --dport 4900:5100 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4900:5100 -j DNAT --to-destination 10.0.0.2:4900:5100
# logging
echo " applying logging rules"
echo ""
$iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "

# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP

Chain INPUT (policy DROP 12 packets, 336 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 18
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 17
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 10
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 9
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 5
0 0 DROP all -- * * 192.168.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0
2670 156K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1 144 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
106 9752 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:433:443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:444
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4661
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4665
492 21404 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 tcp LOG flags 0 level 4 prefix `tcp connection: '
19 5063 LOG udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 udp LOG flags 0 level 4 prefix `udp connection: '
523 22768 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp
19 5063 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp

Chain FORWARD (policy DROP 2 packets, 1469 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.0.1 0.0.0.0/0
0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0
106K 31M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
109K 75M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:433:443
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:444
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4661
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4665

Chain OUTPUT (policy ACCEPT 2 packets, 151 bytes)
pkts bytes target prot opt in out source destination
2121 263K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW

Module Size Used by Not tainted
ipt_MASQUERADE 2072 0 (unused)
ipt_REJECT 3512 0 (unused)
ipt_owner 1784 0 (unused)
ipt_mac 632 0 (unused)
ipt_state 568 4
ipt_limit 1016 2
ipt_LOG 3480 2
iptable_mangle 2136 0 (unused)
iptable_filter 1740 1
ip_nat_ftp 3728 0 (unused)
ip_conntrack_ftp 4592 1 [ip_nat_ftp]
ip_nat_irc 2704 0 (unused)
iptable_nat 25720 3 [ipt_MASQUERADE ip_nat_ftp ip_nat_irc]
ip_tables 16512 12 [ipt_MASQUERADE ipt_REJECT ipt_owner ipt_mac ipt_state ipt_limit ipt_LOG iptable_mangle iptable_filter iptable_nat]
ip_conntrack_irc 3312 1 [ip_nat_irc]
ip_conntrack 33416 4 [ipt_MASQUERADE ipt_state ip_nat_ftp ip_conntrack_ftp ip_nat_irc iptable_nat ip_conntrack_irc]
epic100 14124 1
3c59x 28752 1

any help would be greatly apperciated. i have the data ports set to 4900-5100 in RaidenFTPD so they should hit it, but they dont.
 
Old 10-19-2003, 07:40 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You might want to try adding some logging rules, esp. around all the rules that handle the ftp ports and forwarding rules. That way you'll at least have a better idea of where the packets are going (or aren't going). I'm assuming they're not being caught by the log rules before the final packet dump at the end of the script.

Also try using the -v option with the ftp client when you connect to see if that is informative at all.

HTH
 
Old 10-20-2003, 09:49 AM   #3
radix
Member
 
Registered: May 2002
Location: Okinawa, Japan
Distribution: Slackware 9, FreeBSD 5.1, Gentoo 1.4
Posts: 38

Original Poster
Rep: Reputation: 15
well, that didnt help a whole lot. only, i notice something. sometimes the pasv will take and sometimes it wont. example:
i connect and start a transfer on 4900, then the file finishes and it starts to grab the next but the pasv port times out again. im lost here.......
 
Old 10-20-2003, 06:19 PM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
There are a lot of unnecessary rules here... try pruning it down to a bare minimum first then add logging rules to catch the DROP points... eg,

# set a few variables
make BINDIR=/usr/local/bin LIBDIR=/usr/local/lib MANDIR=/usr/local/manecho ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
echo " setting global variables"
echo ""
iptables="/usr/local/sbin/iptables"

All this is unnecessary unless you call the variables later, (which isn't happening). They should be set outside of iptables...
Notice the extra typing just to define the word iptables which exists in the normal PATH anyway...

# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

A lot of extra text just to do this..
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.ip_forward=1

# load some modules

/sbin/depmod -a

if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp port=444; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then modprobe ip_tables; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack.o ]; then modprobe ip_conntrack; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.o ]; then modprobe iptable_filter; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_mangle.o ]; then modprobe iptable_mangle; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_nat.o ]; then modprobe iptable_nat; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_LOG.o ]; then modprobe ipt_LOG; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_limit.o ]; then modprobe ipt_limit; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_state.o ]; then modprobe ipt_state; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_mac.o ]; then modprobe ipt_mac; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_owner.o ]; then modprobe ipt_owner; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REJECT.o ]; then modprobe ipt_REJECT; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o ]; then modprobe ipt_MASQUERADE; fi

Most of these modules load automatically with the rules, in the correct order and with correct dependencies..
Try...
insmod ip_conntrack_ftp
insmod ip_nat_ftp
insmod ip_conntrack_irc
insmod ip_nat_irc
after all the rules have loaded. These ones require manual loading.

# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT

$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
Missing the nat & mangle tables & chain deletes !! Try...
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# setup nat
echo " applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat

done above...

$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT shouldn't be first rule. General rules come last...
$iptables -A INPUT -i eth1 -j ACCEPT

$iptables -A OUTPUT -o eth1 -j ACCEPT
Unnecessary. You already have an ACCEPT policy...

$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
This should be the first rule to get ip_conntrack working.. try
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 220.57.120.22

# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT Unnecessary with a default ACCEPT

# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocking reserved private networks incoming from the internet
echo " applying incoming internet blocking of reserved private networks"
echo ""
$iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP

All this is handled by the rp_filter...

# blocked hosts
echo " dropping all packets from blocked hosts"
echo ""
$iptables -I INPUT -s 192.168.0.1 -j DROP
$iptables -I FORWARD -s 192.168.0.1 -j DROP

Where would these packets come from? Prob unneccessary rules...

# icmp
echo " applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT default Accept policy!

$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP Are you sure you want to do this?

# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
Check the tutorial for a much tidier way...

# open ports to the firewall
echo " applying the open port(s) to the firewall rules"
echo ""

$iptables -A INPUT -p tcp --dport 20 -j ACCEPT
$iptables -A INPUT -p tcp --dport 21 -j ACCEPT
$iptables -A INPUT -p tcp --dport 444 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4900:5100 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
$iptables -A INPUT -p tcp --dport 4661 -j ACCEPT
$iptables -A INPUT -p udp --dport 4665 -j ACCEPT

Do you have servers on the firewall that need these rules?

# open and forward ports to the internal machine(s)
echo " applying port forwarding rules"
echo ""

$iptables -A FORWARD -i eth0 -p tcp --dport 444 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 444 -j DNAT --to-destination 10.0.0.2:444
$iptables -A FORWARD -i eth0 -p tcp --dport 20 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 20 -j DNAT --to-destination 10.0.0.2:20
$iptables -A FORWARD -i eth0 -p tcp --dport 4662 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4662 -j DNAT --to-destination 10.0.0.2:4662
$iptables -A FORWARD -i eth0 -p tcp --dport 4661 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4661 -j DNAT --to-destination 10.0.0.2:4661
$iptables -A FORWARD -i eth0 -p udp --dport 4665 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p udp -d 220.57.120.22 --dport 4665 -j DNAT --to-destination 10.0.0.2:4665
$iptables -A FORWARD -i eth0 -p tcp --dport 4900:5100 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4900:5100 -j DNAT --to-destination 10.0.0.2:4900:5100
Recommended don't use the -d x.x.x.x in the PREROUTING chain. If you only have 1 ip address, it adds a lot more computing time to each packet for no reason.

# logging
echo " applying logging rules"
echo ""
$iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: "
$iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: "
Where are the logging rules for the FORWARD chain?
Also, each packet getting logged here is because there isn't a matching ACCEPT rule. Don't you want to know what is really happening?
I'd recommend adding LOG rules in nat PREROUTING too, eg
iptables -t nat -I PREROUTING -i eth0 -j LOG --log-prefix "Incoming_nat "
to get the first packet of any connection logged.

# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP

Unnecessary. This is your default policy...
Better to have a LOG rule as the last rule here to catch what is missed by the other rules.. eg
iptables -A INPUT -j LOG --log-prefix "Dropped "
iptables -A FORWARD -j LOG --log-prefix "Dropped "

& what about dns packets? Try...
iptables -I INPUT -p udp --sport 53 -j ACCEPT
iptables -I FORWARD 3 -p udp --sport 53 -j ACCEPT

A recommended tutorial

Sorry if I come across quite critical, but it looks like you've got a script that hasn't been well thought out, as I have commented on.
Prob better to go back to square 1 and find good reasons to add rules. Get the "setting up nat" section working first then the DNATs then the filtering then the default policies, working from the LOG file outputs, if you wish to build from scratch.

Last edited by peter_robb; 10-20-2003 at 06:22 PM.
 
Old 10-21-2003, 08:32 AM   #5
radix
Member
 
Registered: May 2002
Location: Okinawa, Japan
Distribution: Slackware 9, FreeBSD 5.1, Gentoo 1.4
Posts: 38

Original Poster
Rep: Reputation: 15
i am running an ftp server behind the firewall, that cannot have passive connection made, they all time out. thats why im trying to get this working. the script was made with quicktables (not very good from what i hear now) but i get totally lost when i read the faqs. i need it to be broken down to a morons level before i understand it.
 
Old 10-21-2003, 08:48 AM   #6
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
Recommended iptables tutorial.

This explains why rules are made.

You can cheat and use one of the scripts at the end of the tutorial, then work out which part does which function.

Usually Win based servers run slowly coz they can't get the dns services to connect...

Last edited by peter_robb; 10-21-2003 at 08:50 AM.
 
Old 10-21-2003, 09:19 AM   #7
radix
Member
 
Registered: May 2002
Location: Okinawa, Japan
Distribution: Slackware 9, FreeBSD 5.1, Gentoo 1.4
Posts: 38

Original Poster
Rep: Reputation: 15
dont suppose you'd be interested in writing a script for me? thanks for the help, ill try to get through the tutorial and hopefully come out with a script that can get the passive connecting.
 
Old 10-21-2003, 02:06 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
When you put together your script, keep in mind a couple of things:

Think through how you want to design your firewall beforehand. Put a considerable amount of thought on what your default policies will be for each "chain", as this will dictate the kinds of rules you'll have to include. In general, if you use a default policy of DROP, you'll then have to go through and specifically allow the traffic you want through. This is a good choice in terms of security, but it can make networking a little more difficult. A default policy of ACCEPT has exactly the opposite characteristics and can open up huge holes in your firewall if you forget to specifically block something.

Try to keep your firewall script as simple as you can. It will make troubleshooting your script alot easier. If you look at the script you posted and the notes that peter_robb posted on it, you'll notice that you have way too many duplicate rules in there.

When you actually implement your script, do it in stages. That way you'll get a better idea of what rules are causing problems or not doing what you think they should. If you throw everything including the kitchen sink in there at once, then you won't have a clue as to what the problem might be. Start with the basics, lock down all unnecessary traffic first and get the firewall machine functioning, then start forwarding the ports you need to the other machines. Using ethereal to sniff packets from your network at this point can be a really big help here in seeing if they're are getting forwarded properly. Focus on getting one service working at a time in this manner.

If you need help, don't be afraid to ask. But at least show that you are putting some effort into it before you post. There are alot of good how-tos at www.tldp.org and www.netfilter.org . Alot of people find the frozenTux tutorial (the one peter_robb posted) to be helpful as well. The iptables man page has an extensive amount of info on what all the flags and extensions do and is an often overlooked resource.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP server stuck in passive with iptables running. TheRealDeal Linux - Security 5 02-24-2005 04:57 PM
FTP server (Windows) behind NAT (IPtables) SWAT Linux - Newbie 10 01-08-2004 12:54 PM
IPtables and Passive FTP MatrixIII007 Linux - Security 2 10-16-2003 08:10 AM
iptables and passive FTP behind the nat radix Linux - Security 5 09-16-2003 07:14 PM
iptables, NAT and FTP cestor Linux - Security 10 01-04-2002 09:57 AM


All times are GMT -5. The time now is 11:02 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration