LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-26-2004, 09:47 PM   #1
kawdk
Member
 
Registered: Apr 2004
Location: Denmark
Distribution: Debian
Posts: 34

Rep: Reputation: 15
my new iptables firewall, everything works except for FTP


Hello, i have set a new firewall up on my server which i am using for both gateway, web and ftp server. I cant connect to the ftp server, i am using windows 98 on my workstation, i get the login prompt i can log on but there are no files at all. Atop is showing me that the ftpserver is running.
If i turn up my other firewall script (which is NOT secure at all, the ftp is working 100%).
My new script:
Code:
#!/bin/sh

EXT_IP="xxx.xxx.xxx.xxx"
LAN_NET="192.168.1.0/24"
EXT_IF="eth1"

INPUT_TCP="20 21 22 80"
INPUT_UDP="bootps bootpc"
FORWARD_TCP="20 21 80 8000 8001 6667:6669 1863 6901 113 443"
FORWARD_UDP="domain 1863 6901"
OUTPUT_TCP="20 21 $FORWARD_TCP"
OUTPUT_UDP="$FORWARD_UDP bootps bootpc"

echo 0 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -t nat -F
/sbin/iptables -F
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P INPUT DROP

#/sbin/iptables -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j SNAT --to $EXT_IP

/sbin/iptables -t nat -A POSTROUTING -s $LAN_NET -o $EXT_IF -j MASQUERADE

# localhost vil meget gerne have lov til at snakke med sig selv
# Jeg ved ikke om det er nødvendigt med så mange regler, men skidt pyt :)
#
# localhost will have permission to talk to itself
# i dont know if its neccesary with so many rules
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A FORWARD -i lo -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

# Åben diverse porte for trafik til serveren
#
# Open ports for trafic to the server
for PORT in $INPUT_TCP; do
	iptables -A INPUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $INPUT_UDP; do
	iptables -A INPUT -p udp --dport $PORT -j ACCEPT
done

# Åben diverse udgående porte fra serveren
#
# Open outgoing ports from the server
for PORT in $OUTPUT_TCP; do
	iptables -A OUTPUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $OUTPUT_UDP; do
	iptables -A OUTPUT -p udp --dport $PORT -j ACCEPT
done

#Åben internet for netværket
#
#Open the internet for the network
for PORT in $FORWARD_TCP; do
	iptables -A FORWARD -p tcp -s $LAN_NET --dport $PORT -j ACCEPT
done
for PORT in $FORWARD_UDP; do
	iptables -A FORWARD -p udp -s $LAN_NET --dport $PORT -j ACCEPT
done
#iptables -A FORWARD -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for CHAIN in INPUT FORWARD OUTPUT; do
	iptables -A $CHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
done

#Forward port 1863 (MSN)
iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward


for CHAIN in OUTPUT INPUT; do
	for ICMPTYPE in echo-request echo-reply; do
		iptables -A $CHAIN -p icmp --icmp-type $ICMPTYPE \
		  -m limit --limit 1/s --limit-burst 2 -j ACCEPT
		# Limit stopper ikke overskydende pakker, så dem dropper vi
		iptables -A $CHAIN -p icmp --icmp-type $ICMPTYPE -j DROP
	done
done

iptables -A INPUT -p tcp --dport 33434:33868 -j DROP
#iptables -A FORWARD -i eth1 -p UDP -s $EXT_IP -d 0/0 --dport 33434:33868 -j ACCEPT
 
Old 07-27-2004, 07:29 AM   #2
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
please note that ftp-data (port 20) is initiated by the ftp server.
 
Old 08-01-2004, 05:47 AM   #3
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Also please note the difference between the script and the running rules.
There may be several reasons for rules not to load from the script.
Check with iptables-save to see what has actually loaded.

Also consider the effect of ESTABLISHED,RELATED without an interface to define which direction is being controlled..
Do you want to have every direction open?

do modprobe ip_nat_ftp to load both the conntrack & nat ftp modules to allow the data channels to be considered RELATED.
These modules don't auto-load with iptables

Last edited by peter_robb; 08-01-2004 at 05:50 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP & iptables firewall hct224 Linux - Newbie 9 05-04-2012 02:43 PM
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 08:20 AM
Firewall - iptables - ftp connections cubee Linux - Security 22 01-29-2004 11:12 AM
ftp and ftp port forwarding with IPtables?? FunkFlex Linux - Security 3 04-24-2002 04:03 AM
Firewall - Firestarter Iptables ftp jupp Linux - Networking 0 03-18-2002 05:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration