LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   shorewall iptables, ftp (https://www.linuxquestions.org/questions/linux-networking-3/shorewall-iptables-ftp-248784/)

xilace 10-29-2004 11:35 AM
shorewall iptables, ftp
 
here is what shorewall set up for iptables on my squid server. even though it looks like ftp should be going through it doesnt. when i connect to a ftp server where you have to log in it lets me log in and then when it trys to read the directory it hangs and finally just times out. any ideas?
keep in mind im new to iptables and dont have a clue what most of those switchs are doing.

Code:
# Generated by iptables-save v1.2.11 on Fri Oct 29 09:21:44 2004
*mangle
:PREROUTING ACCEPT [1318792:910891079]
:INPUT ACCEPT [43171:6816862]
:FORWARD ACCEPT [1275591:904071325]
:OUTPUT ACCEPT [25279:4430217]
:POSTROUTING ACCEPT [1301485:908490701]
:outtos - [0:0]
:pretos - [0:0]
-A PREROUTING -j pretos
-A OUTPUT -j outtos
-A outtos -p tcp -j TOS --set-tos 0x10
-A outtos -p udp -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 20 --dport 20 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 21 --dport 21 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 20 --dport 21 -j TOS --set-tos 0x08
-A outtos -p tcp -m tcp --sport 21 --dport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -j TOS --set-tos 0x10
-A pretos -p udp -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 20 --dport 20 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 21 --dport 21 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 20 --dport 21 -j TOS --set-tos 0x08
-A pretos -p tcp -m tcp --sport 21 --dport 20 -j TOS --set-tos 0x08
COMMIT
# Completed on Fri Oct 29 09:21:44 2004
# Generated by iptables-save v1.2.11 on Fri Oct 29 09:21:44 2004
*nat
:PREROUTING ACCEPT [11801:1869274]
:POSTROUTING ACCEPT [36:2320]
:OUTPUT ACCEPT [602:44675]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Oct 29 09:21:44 2004
# Generated by iptables-save v1.2.11 on Fri Oct 29 09:21:44 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Drop - [0:0]
:Reject - [0:0]
:all2all - [0:0]
:dynamic - [0:0]
:eth0_fwd - [0:0]
:eth0_in - [0:0]
:eth1_fwd - [0:0]
:eth1_in - [0:0]
:icmpdef - [0:0]
:loc2net - [0:0]
:net2loc - [0:0]
:reject - [0:0]
:shorewall - [0:0]
:smurfs - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p ! icmp -m state --state INVALID -j DROP
-A INPUT -i eth1 -j eth1_in
-A INPUT -i eth0 -j eth0_in
-A INPUT -j ACCEPT
-A FORWARD -p ! icmp -m state --state INVALID -j DROP
-A FORWARD -i eth1 -j eth1_fwd
-A FORWARD -i eth0 -j eth0_fwd
-A FORWARD -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p ! icmp -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -j all2all
-A OUTPUT -o eth1 -j all2all
-A OUTPUT -j ACCEPT
-A all2all -m state --state RELATED,ESTABLISHED -j ACCEPT
-A all2all -j ACCEPT
-A eth0_fwd -m state --state INVALID,NEW -j dynamic
-A eth0_fwd -o eth0 -j ACCEPT
-A eth0_fwd -o eth1 -j net2loc
-A eth0_in -m state --state INVALID,NEW -j dynamic
-A eth0_in -j all2all
-A eth1_fwd -m state --state INVALID,NEW -j dynamic
-A eth1_fwd -o eth0 -j loc2net
-A eth1_fwd -o eth1 -j ACCEPT
-A eth1_in -m state --state INVALID,NEW -j dynamic
-A eth1_in -j all2all
-A loc2net -m state --state RELATED,ESTABLISHED -j ACCEPT
-A loc2net -p tcp -j ACCEPT
-A loc2net -p udp -j ACCEPT
-A loc2net -j all2all
-A net2loc -m state --state RELATED,ESTABLISHED -j ACCEPT
-A net2loc -p tcp -j ACCEPT
-A net2loc -p udp -j ACCEPT
-A net2loc -j all2all
-A reject -m pkttype --pkt-type broadcast -j DROP
-A reject -m pkttype --pkt-type multicast -j DROP
-A reject -s 192.168.1.255 -j DROP
-A reject -s 192.168.7.255 -j DROP
-A reject -s 255.255.255.255 -j DROP
-A reject -s 224.0.0.0/240.0.0.0 -j DROP
-A reject -p tcp -j REJECT --reject-with tcp-reset
-A reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A smurfs -s 192.168.1.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.168.1.255 -j DROP
-A smurfs -s 192.168.7.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 192.168.7.255 -j DROP
-A smurfs -s 255.255.255.255 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 255.255.255.255 -j DROP
-A smurfs -s 224.0.0.0/240.0.0.0 -j LOG --log-prefix "Shorewall:smurfs:DROP:" --log-level 6
-A smurfs -s 224.0.0.0/240.0.0.0 -j DROP
COMMIT
# Completed on Fri Oct 29 09:21:44 2004

ToniT 10-29-2004 11:56 AM
Try modprobing modules:
ip_nat_ftp
ip_conntrack_ftp

you can also try using passive mode in ftp transfers.

xilace 10-29-2004 12:36 PM
this is how my modules look:

Code:
  loadmodule ip_tables
    loadmodule iptable_filter
    loadmodule ip_conntrack
    loadmodule ip_conntrack_ftp
    loadmodule ip_conntrack_tftp
    loadmodule ip_conntrack_irc
    loadmodule iptable_nat
    loadmodule ip_nat_ftp
    loadmodule ip_nat_tftp
    loadmodule ip_nat_irc
it was already set up in there. or do you mean to switch the loading sequance of the ip_conntrack_ftp and the ip_nat_ftp?

ToniT 10-29-2004 06:08 PM
ok, the modules are there; the order shouldn't matter (though you might want to check that they got loaded, eg. they appear in the "lsmod" listing).

Also, is there the same problem also when you try to use ftp direclty from the server?
Does the passive mode work?

xilace 11-01-2004 10:11 AM
Code:
Module                  Size  Used by
parport_pc            21633  1
lp                      9645  0
parport                35721  2 parport_pc,lp
autofs4                20677  0
ipt_MASQUERADE          2625  1
ipt_TOS                1857  24
ipt_REJECT              4801  4
ipt_pkttype            1345  2
ipt_LOG                5569  4
ipt_state              1473  14
ipt_multiport          1601  0
ipt_conntrack          1985  0
iptable_mangle          2113  1
ip_nat_irc              4017  0
ip_nat_tftp            2865  0
ip_nat_ftp              4785  0
iptable_nat            17769  5 ipt_MASQUERADE,ip_nat_irc,ip_nat_tftp,ip_nat_ftp
ip_conntrack_irc      70641  1 ip_nat_irc
ip_conntrack_tftp      2929  0
ip_conntrack_ftp      71153  1 ip_nat_ftp
ip_conntrack          33017  10 ipt_MASQUERADE,ipt_state,ipt_conntrack,ip_nat_irc,ip_nat_tftp,ip_nat_ftp,iptable_nat,ip_conntrack_irc,ip_conntrack_tftp,ip_conntrack_ftp
sunrpc                140837  1
iptable_filter          2113  1
ip_tables              14529  11 ipt_MASQUERADE,ipt_TOS,ipt_REJECT,ipt_pkttype,ipt_LOG,ipt_state,ipt_multiport,ipt_conntrack,iptable_mangle,iptable_nat,iptable_filter
md5                    3649  1
ipv6                  209505  16
ne2k_pci                7201  0
8390                  10177  1 ne2k_pci
natsemi                28193  0
floppy                54513  0
ext3                  104105  2
jbd                    66137  1 ext3
dm_mod                46933  3
yep... apears they are loading just fine.

xilace 11-01-2004 02:05 PM
still nothing. i can connect and log in. but not able to retrieve content listing.
here are what my files all look like

/etc/shorewall/rules
Code:
ACCEPT  loc            net            tcp    -      -      -
ACCEPT  net            loc            tcp    -      -      -
ACCEPT  loc            net            udp    -      -      -
ACCEPT  net            loc            udp    -      -      -
ACCEPT  loc            fw              tcp
ACCEPT  fw              loc            tcp
ACCEPT  loc            fw              udp
ACCEPT  fw              loc            udp
ACCEPT  net            fw              tcp
ACCEPT  fw              net            tcp
ACCEPT  net            fw              udp
ACCEPT  fw              net            udp
AllowFTP loc            net
AllowFTP net            loc
AllowFTP fw            loc
AllowFTP loc            fw
AllowFTP fw            net
AllowFTP net            fw
/etc/shorewall/policy
Code:
all            all            ACCEPT
/etc/shorewall/interfaces
Code:
loc    eth1            detect          routeback,dhcp
net    eth0            detect          routeback,dhcp
/etc/shorewall/start
Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 --dport 80 -j REDIRECT --to-port 3128
iptables -A FORWARD -m state --state ESTABILISHED,RELATED -j ACCEPT
/etc/shorewall/init --taken from shorewall's site
Code:
if [ -z "`ip rule list | grep www.out`" ] ; then
        ip rule add fwmark CA table www.out # Note 0xCA = 202
        ip route add default via 192.168.1.1 dev eth1 table www.out
        ip route flush cache
        echo 0 /proc/sys/net/ipv4/conf/eth1/send_redirects
fi
and when it is started/restarted
Code:
[root@squid shorewall]# service shorewall restart
Loading /usr/share/shorewall/functions...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Restarting Shorewall...
Initializing...
Shorewall has detected the following iptables/netfilter capabilities:
  NAT: Available
  Packet Mangling: Available
  Multi-port Match: Available
  Connection Tracking Match: Available
Determining Zones...
  Zones: net loc dmz
Validating interfaces file...
Validating hosts file...
Validating Policy file...
Determining Hosts in Zones...
  Net Zone: eth0:0.0.0.0/0
  Local Zone: eth1:0.0.0.0/0
  Warning: Zone dmz is empty
Processing /etc/shorewall/init ...
Error: argument "CA" is wrong: fwmark value is invalid

RTNETLINK answers: File exists
0 /proc/sys/net/ipv4/conf/eth1/send_redirects
Deleting user chains...
  WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear t
o have ip6tables
Setting up Accounting...
Creating Interface Chains...
Configuring Proxy ARP
Setting up NAT...
Setting up NETMAP...
Adding Common Rules
Processing /etc/shorewall/initdone ...
Adding rules for DHCP
IP Forwarding Enabled
Processing /etc/shorewall/tunnels...
Pre-processing Actions...
  Pre-processing /usr/share/shorewall/action.DropSMB...
  Pre-processing /usr/share/shorewall/action.RejectSMB...
  Pre-processing /usr/share/shorewall/action.DropUPnP...
  Pre-processing /usr/share/shorewall/action.RejectAuth...
  Pre-processing /usr/share/shorewall/action.DropPing...
  Pre-processing /usr/share/shorewall/action.DropDNSrep...
  Pre-processing /usr/share/shorewall/action.AllowPing...
  Pre-processing /etc/shorewall/action.AllowFTP...
  Pre-processing /usr/share/shorewall/action.AllowDNS...
  Pre-processing /usr/share/shorewall/action.AllowSSH...
  Pre-processing /usr/share/shorewall/action.AllowWeb...
  Pre-processing /usr/share/shorewall/action.AllowSMB...
  Pre-processing /usr/share/shorewall/action.AllowAuth...
  Pre-processing /usr/share/shorewall/action.AllowSMTP...
  Pre-processing /usr/share/shorewall/action.AllowPOP3...
  Pre-processing /usr/share/shorewall/action.AllowIMAP...
  Pre-processing /usr/share/shorewall/action.AllowTelnet...
  Pre-processing /usr/share/shorewall/action.AllowVNC...
  Pre-processing /usr/share/shorewall/action.AllowVNCL...
  Pre-processing /usr/share/shorewall/action.AllowNTP...
  Pre-processing /usr/share/shorewall/action.AllowRdate...
  Pre-processing /usr/share/shorewall/action.AllowNNTP...
  Pre-processing /usr/share/shorewall/action.AllowTrcrt...
  Pre-processing /usr/share/shorewall/action.AllowSNMP...
  Pre-processing /usr/share/shorewall/action.AllowPCA...
  Pre-processing /usr/share/shorewall/action.Drop...
  Pre-processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/rules...
  Rule "ACCEPT loc net tcp - - -" added.
  Rule "ACCEPT net loc tcp - - -" added.
  Rule "ACCEPT loc net udp - - -" added.
  Rule "ACCEPT net loc udp - - -" added.
  Rule "ACCEPT loc fw tcp" added.
  Rule "ACCEPT fw loc tcp" added.
  Rule "ACCEPT loc fw udp" added.
  Rule "ACCEPT fw loc udp" added.
  Rule "ACCEPT net fw tcp" added.
  Rule "ACCEPT fw net tcp" added.
  Rule "ACCEPT net fw udp" added.
  Rule "ACCEPT fw net udp" added.
  Rule "AllowFTP loc net" added.
  Rule "AllowFTP net loc" added.
  Rule "AllowFTP fw loc" added.
  Rule "AllowFTP loc fw" added.
  Rule "AllowFTP fw net" added.
  Rule "AllowFTP net fw" added.
Processing Actions...
Processing /usr/share/shorewall/action.Drop...
Processing /usr/share/shorewall/action.Reject...
Processing /etc/shorewall/action.AllowFTP...
  Rule "ACCEPT - - tcp - -" added.
Processing /etc/shorewall/policy...
  Policy ACCEPT for fw to net using chain all2all
  Policy ACCEPT for fw to loc using chain all2all
  Policy ACCEPT for net to fw using chain all2all
  Policy ACCEPT for net to loc using chain all2all
  Policy ACCEPT for loc to fw using chain all2all
  Policy ACCEPT for loc to net using chain all2all
Masqueraded Networks and Hosts:
Processing /etc/shorewall/tos...
  Rule "all all tcp - - 16" added.
  Rule "all all udp - - 16" added.
  Rule "all all tcp - ssh 16" added.
  Rule "all all tcp ssh - 16" added.
  Rule "all all tcp - ftp 8" added.
  Rule "all all tcp ftp - 8" added.
  Rule "all all tcp ftp-data - 8" added.
  Rule "all all tcp - ftp-data 8" added.
  Rule "all all tcp 20 20 8" added.
  Rule "all all tcp 21 21 8" added.
  Rule "all all tcp 20 21 8" added.
  Rule "all all tcp 21 20 8" added.
Processing /etc/shorewall/ecn...
Activating Rules...
Processing /etc/shorewall/start ...
iptables v1.2.11: Unknown arg `--dport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: Bad state `ESTABILISHED,RELATED'
Try `iptables -h' or 'iptables --help' for more information.
Shorewall Restarted
[root@squid shorewall]#

xilace 11-01-2004 06:36 PM
anybody got any ideas? im still lost on this.

xilace 11-02-2004 09:55 AM
*bump*
still need some help =/

tellef 11-16-2006 10:52 AM
Shorewall
 
Hi.

It appears from your commandline output that you got things a bit messed up. If you read it close you will see that you have zones defined that do not have a nic or ip-range, and you are allowing scary things in the policy file for example:

-Policy ACCEPT for net to fw using chain all2all
-Policy ACCEPT for net to loc using chain all2all

These lines are like blowing a hole in the wall with a shotgun.
What is said is that "everyone is welcome in"

You need to DROP packets from net to $fw and net to loc.
Then in /etc/shorewall/rules you need to DNAT incoming connections from net to "ip-addr-given" on loc (or preferably a DMZ-zone if you can spare a nic) for the ftp connection, and also ALLOW with the same specs. Sample from my own firewall:

DNAT net dmz:x.x.x.x:21 tcp 21
FTP/ACCEPT:info net dmz:x.x.x.x

The documentation section at www.shorewall.net has several excellent howtos for many applications.
:confused: :study: :)


All times are GMT -5. The time now is 01:13 PM.