my new iptables firewall, everything works except for FTP
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
my new iptables firewall, everything works except for FTP
Hello, i have set a new firewall up on my server which i am using for both gateway, web and ftp server. I cant connect to the ftp server, i am using windows 98 on my workstation, i get the login prompt i can log on but there are no files at all. Atop is showing me that the ftpserver is running.
If i turn up my other firewall script (which is NOT secure at all, the ftp is working 100%).
My new script:
Code:
#!/bin/sh
EXT_IP="xxx.xxx.xxx.xxx"
LAN_NET="192.168.1.0/24"
EXT_IF="eth1"
INPUT_TCP="20 21 22 80"
INPUT_UDP="bootps bootpc"
FORWARD_TCP="20 21 80 8000 8001 6667:6669 1863 6901 113 443"
FORWARD_UDP="domain 1863 6901"
OUTPUT_TCP="20 21 $FORWARD_TCP"
OUTPUT_UDP="$FORWARD_UDP bootps bootpc"
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -t nat -F
/sbin/iptables -F
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P INPUT DROP
#/sbin/iptables -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j SNAT --to $EXT_IP
/sbin/iptables -t nat -A POSTROUTING -s $LAN_NET -o $EXT_IF -j MASQUERADE
# localhost vil meget gerne have lov til at snakke med sig selv
# Jeg ved ikke om det er nødvendigt med så mange regler, men skidt pyt :)
#
# localhost will have permission to talk to itself
# i dont know if its neccesary with so many rules
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A FORWARD -i lo -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
# Åben diverse porte for trafik til serveren
#
# Open ports for trafic to the server
for PORT in $INPUT_TCP; do
iptables -A INPUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $INPUT_UDP; do
iptables -A INPUT -p udp --dport $PORT -j ACCEPT
done
# Åben diverse udgående porte fra serveren
#
# Open outgoing ports from the server
for PORT in $OUTPUT_TCP; do
iptables -A OUTPUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $OUTPUT_UDP; do
iptables -A OUTPUT -p udp --dport $PORT -j ACCEPT
done
#Åben internet for netværket
#
#Open the internet for the network
for PORT in $FORWARD_TCP; do
iptables -A FORWARD -p tcp -s $LAN_NET --dport $PORT -j ACCEPT
done
for PORT in $FORWARD_UDP; do
iptables -A FORWARD -p udp -s $LAN_NET --dport $PORT -j ACCEPT
done
#iptables -A FORWARD -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for CHAIN in INPUT FORWARD OUTPUT; do
iptables -A $CHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
done
#Forward port 1863 (MSN)
iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT
echo "1" > /proc/sys/net/ipv4/ip_forward
for CHAIN in OUTPUT INPUT; do
for ICMPTYPE in echo-request echo-reply; do
iptables -A $CHAIN -p icmp --icmp-type $ICMPTYPE \
-m limit --limit 1/s --limit-burst 2 -j ACCEPT
# Limit stopper ikke overskydende pakker, så dem dropper vi
iptables -A $CHAIN -p icmp --icmp-type $ICMPTYPE -j DROP
done
done
iptables -A INPUT -p tcp --dport 33434:33868 -j DROP
#iptables -A FORWARD -i eth1 -p UDP -s $EXT_IP -d 0/0 --dport 33434:33868 -j ACCEPT
Also please note the difference between the script and the running rules.
There may be several reasons for rules not to load from the script.
Check with iptables-save to see what has actually loaded.
Also consider the effect of ESTABLISHED,RELATED without an interface to define which direction is being controlled..
Do you want to have every direction open?
do modprobe ip_nat_ftp to load both the conntrack & nat ftp modules to allow the data channels to be considered RELATED.
These modules don't auto-load with iptables
Last edited by peter_robb; 08-01-2004 at 04:50 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.