LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firewall HELP (https://www.linuxquestions.org/questions/linux-security-4/firewall-help-12160/)

IRQ14 01-19-2002 11:09 PM
Firewall HELP
 
Hey... I need some help setting up a firewall which will allow only specific ip's to access my ftp.
The ftp server is running of a windows 2000 machine. I'm forwarding a port from the linux box to the windows 2000 machine for the ftp service. Here's the code for the ftp forwarding:
iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 654 -j DNAT --to-destination 192.168.0.2:21

I've tried using the hosts.allow and hosts.deny for this but it didn't work.. unless i did it wrong.

Also the goal is to make it seem that the ftp doesn't exist when un-authorized users try to connect... ie:
Connecting to 24.xxx.xxx.xxx
Connection Failed

Please help
Thanks.

theFuzzyOne 01-20-2002 12:36 PM
have you tried ftp'ing with your firewall open (allow everything) to see if your port forwarding is working? you may need to add additional rules to make that happen. can you ftp from the linux box to the w2k server?

IRQ14 01-20-2002 02:29 PM
ftp is working with no problems at all... the only thing is I need to allow only a few users to access the site.
Right now the ftp is allowing who ever has the password and username to access the site.

I tried doing:

iptables -t nat -A PREROUTING -i eth0 -p TCP -s 24.101.208.98 --dport 654 -j ACCEPT
and
iptables -t nat -A PREROUTING -j DROP
and then
iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 654 -j DNAT --to-destination 192.168.0.2:21

meaning that anyone coming in with 24.101.208.98 ip will be accepted... anyone else the connection will drop
but that didn't work
it dropped all incoming connections to the ftp and didn't allow the user with the 24.101.208.98 ip to access.

theFuzzyOne 01-20-2002 02:32 PM
port number? --dport 21 perhaps?

IRQ14 01-20-2002 02:35 PM
why would it be 21?
the outside port which people use to connect to the ftp would be 654... whatever is coming in on 654 will be redirected to port 21... so what i need to do is stop unauthorized ips from getting in with port 654

IRQ14 01-20-2002 02:36 PM
but then again what your saying does make sense
whatever's coming in on 654 is destined to port 21 and those packets should be dropped

raz 01-21-2002 05:41 AM
Block it at the input rule.
The packets go prerouting then input.

So you would have the rules.
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -p igmp -j DROP

iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 654 -j DNAT --to-destination 192.168.0.2:21

iptables -A INPUT -i eth0 -p tcp -s 24.101.208.98 --sport 1024:65535 -d your_firewalls_ip_address --dport 654 -j ACCEPT

iptables -A INPUT -p ALL -i eth1 -s 192.169.0.0/24 -j ACCEPT

+ you need to do the rest of the firewall rules to get other services working.

/Raz


All times are GMT -5. The time now is 03:25 AM.