my new iptables firewall, everything works except for FTP

kawdk · 07-26-2004, 08:47 PM

Hello, i have set a new firewall up on my server which i am using for both gateway, web and ftp server. I cant connect to the ftp server, i am using windows 98 on my workstation, i get the login prompt i can log on but there are no files at all. Atop is showing me that the ftpserver is running.
If i turn up my other firewall script (which is NOT secure at all, the ftp is working 100%).
My new script:

Code:

#!/bin/sh

EXT_IP="xxx.xxx.xxx.xxx"
LAN_NET="192.168.1.0/24"
EXT_IF="eth1"

INPUT_TCP="20 21 22 80"
INPUT_UDP="bootps bootpc"
FORWARD_TCP="20 21 80 8000 8001 6667:6669 1863 6901 113 443"
FORWARD_UDP="domain 1863 6901"
OUTPUT_TCP="20 21 $FORWARD_TCP"
OUTPUT_UDP="$FORWARD_UDP bootps bootpc"

echo 0 > /proc/sys/net/ipv4/ip_forward

/sbin/iptables -t nat -F
/sbin/iptables -F
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P INPUT DROP

#/sbin/iptables -t nat -A POSTROUTING -s $LAN_NET -d ! $LAN_NET -j SNAT --to $EXT_IP

/sbin/iptables -t nat -A POSTROUTING -s $LAN_NET -o $EXT_IF -j MASQUERADE

# localhost vil meget gerne have lov til at snakke med sig selv
# Jeg ved ikke om det er nødvendigt med så mange regler, men skidt pyt :)
#
# localhost will have permission to talk to itself
# i dont know if its neccesary with so many rules
iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A FORWARD -i lo -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT

# Åben diverse porte for trafik til serveren
#
# Open ports for trafic to the server
for PORT in $INPUT_TCP; do
	iptables -A INPUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $INPUT_UDP; do
	iptables -A INPUT -p udp --dport $PORT -j ACCEPT
done

# Åben diverse udgående porte fra serveren
#
# Open outgoing ports from the server
for PORT in $OUTPUT_TCP; do
	iptables -A OUTPUT -p tcp --dport $PORT -j ACCEPT
done
for PORT in $OUTPUT_UDP; do
	iptables -A OUTPUT -p udp --dport $PORT -j ACCEPT
done

#Åben internet for netværket
#
#Open the internet for the network
for PORT in $FORWARD_TCP; do
	iptables -A FORWARD -p tcp -s $LAN_NET --dport $PORT -j ACCEPT
done
for PORT in $FORWARD_UDP; do
	iptables -A FORWARD -p udp -s $LAN_NET --dport $PORT -j ACCEPT
done
#iptables -A FORWARD -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for CHAIN in INPUT FORWARD OUTPUT; do
	iptables -A $CHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
done

#Forward port 1863 (MSN)
iptables -A FORWARD -p tcp --dport 1863 -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward


for CHAIN in OUTPUT INPUT; do
	for ICMPTYPE in echo-request echo-reply; do
		iptables -A $CHAIN -p icmp --icmp-type $ICMPTYPE \
		  -m limit --limit 1/s --limit-burst 2 -j ACCEPT
		# Limit stopper ikke overskydende pakker, så dem dropper vi
		iptables -A $CHAIN -p icmp --icmp-type $ICMPTYPE -j DROP
	done
done

iptables -A INPUT -p tcp --dport 33434:33868 -j DROP
#iptables -A FORWARD -i eth1 -p UDP -s $EXT_IP -d 0/0 --dport 33434:33868 -j ACCEPT

ppuru · 07-27-2004, 06:29 AM

please note that ftp-data (port 20) is initiated by the ftp server.

peter_robb · 08-01-2004, 04:47 AM

Also please note the difference between the script and the running rules.
There may be several reasons for rules not to load from the script.
Check with iptables-save to see what has actually loaded.

Also consider the effect of ESTABLISHED,RELATED without an interface to define which direction is being controlled..
Do you want to have every direction open?

do modprobe ip_nat_ftp to load both the conntrack & nat ftp modules to allow the data channels to be considered RELATED.
These modules don't auto-load with iptables