Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i am working on my first major iptables project. i have a fairly good understanding of how the rules and chains and tables work, but im obviously missing someting. my servers are safely hidden behind a cisco pix 515, and each has a static nat to an internet ip. each service on each box, has an access_list entry to exose the port to the net. before my firewall project, everything worked perfect.
my goal, is to configure the iptables on my servers, to be as if they were sitting directly on the public internet. i made a nice long commented script, as general as possible, to be used on all servers (and i just comment out what i dont need on each server). here is what it looks like:
Code:
#!/bin/bash
iptables --flush
# Allow Related and Established Traffic
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow Localhost, and ICMP from local LAN
iptables -A INPUT -p icmp -s x.x.0.0/16 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Trusted Networks
# SSH port
iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.0/24 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 22 -j ACCEPT
# Webmin port
iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.x --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.0/24 --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.x.0/24 --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 10000 -j ACCEPT
#
# Shane's IP
# iptables -A INPUT -p tcp -s x.x.x.x --dport 22 -j ACCEPT
#
# Allowed Services
# Allow http and https
iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
# Allow FTP
iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
# Allow DNS
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# Allow Mail Services SMTP and POP3
# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# iptables -A INPUT -p tcp --dport 110 -j ACCEPT
# Allow MySQL
# iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
# Allow Samba from local x.x. network
# iptables -A INPUT -p tcp -s x.x.0.0/16 --dport 137:139 -j ACCEPT
# Allow DHCP requests
# iptables -A INPUT -p tcp --dport 68 -j ACCEPT
# Allow SNMP From Local Network
iptables -A INPUT -p udp -s x.x.0.0/16 --dport 161 -j ACCEPT
#
# Block Specific IPs from any access
iptables -A INPUT -s 67.166.208.69 -j DROP
#
# Block Everything Else all ports
iptables -A INPUT -j DROP
#
# Rules for outbound traffic
iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
as you can see, its quite a simple iptables config, nothing crazy. inbound traffic only. my last 2 lines are there just because, everything that is currently working still works without them, and the broken items are still broken if they are there or not. httpd is working, smtp, pop3, dhcp dns, snmp are all working normall. ftp is giving me the fits.
originally (before i decided to sit down with this project), i had iptables configured only to manage ports 22 and 10000, and nothing else was blocked. ftp connections inbound thru my cisco pix had no trouble, with any ftp client. now that i have iptables running, ftp is timing out. i suspect my ftp problem comes from the data session, that the server sends the port to connect to back to the client, and the client obviously cant get there. im positive the pix firewall is not my problem, becuase i sent this same firewall script to a box that *does* sit right on the internet, and it gets the same behavior.
can someone tell me what im doing wrong, either with my entire config or with ftp rules? i would really appreciate any help or pointers.
the problem comes when using PASV ftp (i believe). i had to open 20:21,50000:55000 and configure my ftp server to use the 50000:55000 port range for connections.
i knew it was going to boil down to someting along those lines. i believe my cisco pix is intelligent enough to discern the returning/related traffic, and forwards it back to my ftp server as its supposed to be. BUT, now that i have 'drop all' enabled at the ftp server in question, this was the missing piece of my puzzle.
my test box that is on directly on the internet, as well as my production web and ftp boxes, are now behaving perfectly.
now, my next quesiton is, what is the proper method/best practice of loading this module at boot?
Originally posted by Sharaz what is the proper method/best practice of loading this module at boot?
depends on your distro (which are you using?)... in slackware you just load it from your firewall script... but generally speaking on any distro you should be fine by adding the "/sbin/modprobe ip_conntrack_ftp" to your rc.local or similar startup file... however, your distro might have a "special" file to place the modules you wanna load...
BTW, is it really necessary to open port 20/TCP?? i would imagine opening port 21/TCP would be enough (to start the connection) and the connection tracking would recognize the port 20 packets as "RELATED"... is that not the case??
probably. ive been doing 20:21 from so long ago. my first experience with firewalls was with ipchains, and it only seemed to work with 20:21. and im sure even my first iptables went the same, thus my current behavior to do it without quesiton.
however, ill try port 21 only, and see how it goes!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.