LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-21-2012, 07:30 AM   #1
sandeepc04
Member
 
Registered: Jun 2012
Location: India
Posts: 66

Rep: Reputation: Disabled
Smile How to allow LeechFTP in iptables for RHEL-5


Hi friends,

Iptable is blocking leechftp tool....We have one win ftp server in out of office ex: 10.10.10.1 (ftp port no given like 2222) and at office we have installed leechftp tool in win2003 machine, and at office internet line is going by linux squid server, When i start iptables in leechftp is not running when i stop iptables/firewall its working fine.


I wanted to allow leechftp by iptables please help me out on this...


I am weak in iptables please give me answers in examples...


Regareds,
Sandeep CC
 
Old 06-22-2012, 01:10 AM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
All right lets figure this out.
As a standard rule set I would advise using stateful inspection. Makes life real easy.
Code:
iptables -A INPUT -m state --state ESTABLISHEd,REALTED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,ReLATED -j ACCEPT
iptables is the command
-A stands for append.
Input and output are chains within iptables. Input is for incoming and output is for ?? packets. There is also forward in the normal tables which is for packets beeing routed through the machine.
-m is the load module option followed by the name of the module we want: state
--state is an option of the loaded module and takes the name of the states we like
-j means jump (but don't forget to land) to the target. target can be many things. here we go for ACCEPT. That ends the firewall for matching packets and the packets is accepted on the host.

So as we have our standard rules we have to open the ftp port.
Code:
grep ftp /etc/services
ftp-data	20/tcp
ftp		21/tcp
tftp		69/udp
sftp		115/tcp
ftps-data	989/tcp				# FTP over SSL (data)
ftps		990/tcp
venus-se	2431/udp			# udp sftp side effect
codasrv-se	2433/udp			# udp sftp side effect
gsiftp		2811/tcp
gsiftp		2811/udp
frox		2121/tcp			# frox: caching ftp proxy
zope-ftp	8021/tcp			# zope management by ftp
Just take port 21 and allow incoming connections

Code:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
-p means protocol. We want the tcp one
--dport means destination port.

Thats just the basic and should work if not see the man page for the ftp conntracak helper module. Dunno if it's still in use. Maybe you have to allow all traffic on the lo interface as well.

I guess you already have the policies set to generally drop all packets and only allow explicitly. If not
Code:
iptables -P INPUT DROP
iptables -P INPUT DROP
iptables -P FORWARd DROP
 
Old 06-22-2012, 08:43 AM   #3
sandeepc04
Member
 
Registered: Jun 2012
Location: India
Posts: 66

Original Poster
Rep: Reputation: Disabled
zhjim thanks for your reply,


As you given in post i have enabled all port in iptable file, but still ftp sites and leechftp is not working, and also by enabling iptables msoutlook is blocking, mails are not working,


-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p udp --dport 69 -j ACCEPT
-A INPUT -p tcp --dport 115 -j ACCEPT
-A INPUT -p tcp --dport 989 -j ACCEPT
-A INPUT -p tcp --dport 990 -j ACCEPT
-A INPUT -p udp --dport 2431 -j ACCEPT
-A INPUT -p udp --dport 2433 -j ACCEPT
-A INPUT -p tcp --dport 2811 -j ACCEPT
-A INPUT -p udp --dport 2811 -j ACCEPT
-A INPUT -p tcp --dport 2121 -j ACCEPT
-A INPUT -p tcp --dport 8021 -j ACCEPT


This thing i have done in iptables file,

Please let me know where i am doing mistake...


Regards,
Sandeep CC
 
Old 06-25-2012, 01:00 AM   #4
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
The iptables look good for me. Just what about the outgoing packets?
Please provide the output of iptables-save. So I can see all iptable rules in place.

In advance you can try to set up the following rule
Code:
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,ReLATED -j ACCEPT
As for better readability please provide the output inside CODE blocks of the bb code.
 
Old 06-25-2012, 01:40 AM   #5
sandeepc04
Member
 
Registered: Jun 2012
Location: India
Posts: 66

Original Poster
Rep: Reputation: Disabled
Hi,

Thanks for your reply, This is my iptables output... Please check any mistake i am doing so its not working...But still ftp/leechftp is not working....



[root@edulinux-server squid]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
4 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:69
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:115
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:989
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:990
8 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2431
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2433
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2811
11 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2811
12 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121
13 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8021
14 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
16 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:25
17 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
10 ACCEPT tcp -- 172.16.4.0/24 172.16.4.0/24 tcp dpt:3128
11 ACCEPT udp -- 172.16.4.0/24 172.16.4.0/24 udp dpt:3128
12 ACCEPT tcp -- 172.16.4.0/24 172.16.4.0/24 tcp dpt:67
13 ACCEPT udp -- 172.16.4.0/24 172.16.4.0/24 udp dpt:67
14 ACCEPT tcp -- 172.16.4.0/24 172.16.4.0/24 tcp dpt:68
15 ACCEPT udp -- 172.16.4.0/24 172.16.4.0/24 udp dpt:68
16 ACCEPT tcp -- 172.16.4.0/24 172.16.4.0/24 tcp dpt:25
17 ACCEPT udp -- 172.16.4.0/24 172.16.4.0/24 udp dpt:25
18 ACCEPT tcp -- 172.16.4.0/24 172.16.4.0/24 tcp dpt:110
19 ACCEPT udp -- 172.16.4.0/24 172.16.4.0/24 udp dpt:110
20 ACCEPT tcp -- 172.16.4.0/24 172.16.4.0/24 tcp dpt:111
21 ACCEPT udp -- 172.16.4.0/24 172.16.4.0/24 udp dpt:111
22 ACCEPT tcp -- 172.16.4.0/24 172.16.4.0/24 tcp dpts:137:139
27 ACCEPT tcp -- 172.16.4.0/24 172.16.4.0/24 tcp dpt:80
28 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

[root@edulinux-server squid]#


"-A OUTPUT -m state --state NEW,ESTABLISHED,ReLATED -j ACCEPT" This line i have mentioned...please help me out on this...
 
Old 06-25-2012, 02:03 AM   #6
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Should have thought about that RHEL is doing things a bit different. They create their own chain and put all rules inside there. Did you spot it?

It's the 1 RH-Firewall-1-INPUT chain. The first rule inside the INPUT chain jumps to it. And the last rule of the RH-Firewall chain rejects all packets. There seems to be graphic config option under redhat: http://docs.redhat.com/docs/en-US/Re...-firewall.html. You might also check the iptables section of this document: www.centos.org/docs/4/pdf/rhel-rg-en.pdf

I would just do this.
Code:
iptables -I RH-Firewall-1-INPUT 9 -p tcp --dport 21 -j ACCEPT
It all comes down to adding new rules to the RH-Firwall-1-INPUT chain. Or using the build in commands of RHEL.
 
Old 06-25-2012, 03:53 AM   #7
sandeepc04
Member
 
Registered: Jun 2012
Location: India
Posts: 66

Original Poster
Rep: Reputation: Disabled
Zhjim,


Sorry for disturb you, I am very week in iptables rules, as you said i have mentioned everything but still its not working, When i stop iptables ftp://10.10.10.1:2222/ its asking for user and password and site is opening, but when i start Iptables it will ask for user and pass, when i give correct user and pass till will not open this site, its not going to directory, its giving one error message

"An error occured opening that folder on FTP server. Make sure you have permission to access that folder. Deatails: The server name or address could not be resolved"

Bellow i am giving full my IPTABLES File snap... Please check where exacly i am doing mistake...



[root@edulinux-server sysconfig]# vi iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##SSH PORT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 68 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 68 -j ACCEPT
##SMTP
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 25 -j ACCEPT
##POP3
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 110 -j ACCEPT
##PORT MAP PORT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 111 -j ACCEPT
##NETBOIS SAMBA PORT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 137:139 -j ACCEPT
##FTP PORT
-A RH-Firewall-1-INPUT -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 69 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 115 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 989 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 990 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 2431 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 2433 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 2811 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 2811 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 2121 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 8021 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 2222 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 2222 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT
##HTTP PORT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 80 -j ACCEPT
##
##SMTP and POP3##
-A RH-Firewall-1-INPUT -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 110 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,ReLATED -j ACCEPT
##
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Please help me out on this...

Thanks and Regards,
Sandeep CC

Last edited by sandeepc04; 06-25-2012 at 11:10 PM.
 
Old 06-25-2012, 04:01 AM   #8
whysoserious
Member
 
Registered: May 2012
Location: London
Distribution: Debian and slackware for uni
Posts: 61

Rep: Reputation: Disabled
Download and install webmin.
 
Old 06-26-2012, 12:29 AM   #9
sandeepc04
Member
 
Registered: Jun 2012
Location: India
Posts: 66

Original Poster
Rep: Reputation: Disabled
FTP sites are not working yet... When iptables is stop sites are opening, but when iptables is start/on that time its strucking... its asking for user name and password and from there its not going next....I have opened port 21 and tried... Below giving my IPTABLE File snap shot please check and let me know if any silly mistake i am doing.....


[root@edulinux-server sysconfig]# vi iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
##SSH PORT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
##SQUID PORT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 3128 -j ACCEPT
##DHCP PORT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 67 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 68 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 68 -j ACCEPT
##PORT MAP PORT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p udp --dport 111 -j ACCEPT
##NETBOIS SAMBA PORT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 137:139 -j ACCEPT
##FTP PORT
-A RH-Firewall-1-INPUT -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 69 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 115 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 989 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 990 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 2431 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 2433 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 2811 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 2811 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 2121 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 8021 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 2222 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 2222 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 443 -j ACCEPT
##HTTP PORT
-A RH-Firewall-1-INPUT -s 172.16.4.0/24 -d 172.16.4.0/24 -p tcp --dport 80 -j ACCEPT
##
##SMTP and POP3##
-A RH-Firewall-1-INPUT -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 110 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 110 -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,ReLATED -j ACCEPT
##Remote Desktop
-A RH-Firewall-1-INPUT -p tcp --dport 3389 -j ACCEPT
##
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT



Regards,
Sandeep CC
 
Old 06-26-2012, 01:18 AM   #10
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
You also need the conntrack_ftp module loaded. After that ftp should work with iptables in place to the fullest extend.
Code:
modprobe nf_conntrack_ftp
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with iptables redirect on RHEL 6 GriffGeorge Linux - Networking 5 04-26-2012 05:35 AM
chkconfig iptables rhel 5.6 skjelmose Red Hat 7 01-30-2012 08:29 AM
IPTables+RHEL 5 internet sharing eagle06 Linux - Networking 5 03-30-2010 12:04 PM
iptables module not loading. RHEL 4. noir911 Red Hat 1 05-26-2009 08:07 PM
iptables string module on RHEL st3reo Linux - Enterprise 6 07-09-2006 04:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration