Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi guys,
i have writen a script for firewall(to make squid as transperent proxy) based on serching the web,the script is as follows :
-------------
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
# if it is same system
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
-------------------------------------
now squid is working as transparent proxy and localy on the network people are able to browse internet and do ftp for the local site(on the server) and other ftps on the internet.
but there are two problems
1) people outside our network ( we have branch office in another city) are not able to ftp into our server
our server has two ethernet card one connected to lan and other to the internet
ie. eth0 192.168.0.1 lan
eth1 static ip (given by the isp) internet
2) the second problem is that whole lot of text like
IN=eth0 OUT= MAC=00... SRC=196.68.45.123 DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).
can anyone please help me out in solving this problem.
plz make sure of the information you provided regarding which interface is connect to what network:
Quote:
# unlimited access to LAN
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
Quote:
ie. eth0 192.168.0.1 lan
eth1 static ip (given by the isp) internet
Since you say that everything is running fine on the internal network, i'll take the risk of assuming that you got the interfaces mixed up and eth0 is actually connected to the internet while eth1 is connected to your LAN.
Based on this assumption here's how to go about it:
You just need to add the proper rule to allow users OUTSIDE your network to connect to the ftp service.
If the service is running on the same machine which is acting as a firewall then something like:
Code:
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT
If the service is on a different machine you'll need something closer to:
This will open port 21 (ftp service) to all users from the internet. So if you need a secure ftp service try and look into vsftpd [$man vsftpd] which can be configured for username/password or key-based authentication.
thank you Notwerk,
your solution worked for me, people are able to ftp into our server, but the second problem still exist and its too much annoying to work in text mode.
---------------------
second problem is that whole lot of text like
IN=eth0 OUT= MAC=00... SRC=196.68.45.123 DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).
----------------------
can you tell what might be the problem and where i have gone worng.
once again thank you for ur advice, it helped me lot
This will open port 21 (ftp service) to all users from the internet. So if you need a secure ftp service try and look into vsftpd [$man vsftpd] which can be configured for username/password or key-based authentication.
I have the same problem but The above code ddin't work for me in fedora core 5
Here is my script:
and what I want to do is since I have the DNS with bind there (the global DNS) and ftp.server.com points to the DNS server I want it to redirect ftp.server.com to [$FTP_ADDRESS].
I have routed successfully in red hat 9 but here it does not seems to work. (I have a DSL modem, so the router is the Linux Box.
Now I can route any port I use. But ... I have a problem with the FTP ... I did not mention before because I was not able to route anything so I supposed it was some kind of iptables related problem... I have fedora core 5 running at level 5. an uname -r command returns 2.6.17-1.2174_FC5.
Just before moving the FTP to another machine I ran it in the Linux box itself (I used vsftpd) and I could not access it from outside the network... nor can I now... even doing a /etc/init.d/iptables stop ... Nmap returns the port 21 TCP as FILTERED from outside the network. Does anyone know if some sneaky feature like the so called "Secure Linux" prevents the access to a FTP from extern source by default? I mean I know I can route because I open services in other machines and I can connect to their sockets throw Linux while their services are started. Has anyone heard something like this?
Could you post more details about the FTP problem in the same sequence they happened please. Also, posting the relevant configuration files would help
Ok. Problem Fixed. I'm sorry.
It had nothing to do with Linux or iptables. I have a Zyxel router and my ISP even turning routing off blocked the FTP HTTP telnet and others by default.
Thank you very much for your help. Now all it is working fine and routing all services including web, FTP and all others.
Thanks for your help.
Just in case:
I key in my gateway IP (public gateway IP) and entered in Zyxel web (it does not work by telnet just by web) control panel. I Clicked advanced setup and then security and remove the checkboxes in block FTP traffic from LAN to WAN and so on with Web.
I hope if anyone encounters with the same problem that helps.
Perhaps this is a good time to review your iptable rules and tighten them up a little bit.
A good idea would be to specify the following conditions for EACH rule:
1) -i INCOMING_INTERFACE
2) -o OUTGOING_INTERFACE
also, if the traffic is from/to the local network you should add:
3) -s (or -d) 192.168.x.0
Specifying the protocols also helps:
4) -p tcp (or udp)
Finally, you might wanna consider connection state tracking. Loading the following modules allows iptables to use this feature:
#modprobe ip_conntrack
#modprobe ip_conntrack_ftp
Now, for example, you can filter "-m state --state NEW" if it does not have the SYN bit.
Also, you can allow ONLY "-m state --state RELATED,ESTABLISHED" traffic to pass the FORWARD rules.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.