Hello,

I wrote a simple firewall script using iptables. I have a simple network
internet (DSL) -- eth0 (EXTERNAL) -- eth1 and eth2 (Internal interface).
I use a Slackware 9.1 (2.4.22-grsec).

I have a problem with output ftp connections using wget. When I try to use
wget to download files from ftp I got a timed out. With other program (ncftpget) I have no this problem, only with WGET. Wget with http connections works properly.
In my opinion there is a bug in firewall script, but I'm a still learning iptables rules.

Please help me, where is a bug in firewall, and what should I add/change to make my network more securing. Thank you a lot.

Best regards,
cubee

This is my script:

#!/bin/sh

EXT=80.80.80.80
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/modprobe ip_conntrack_ftp

iptables -F
iptables -F -t nat
iptables -F -t filter
iptables -X -t filter
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT

iptables -A INPUT -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A INPUT -p icmp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A FORWARD -p tcp -j ACCEPT -m state --state RELATED
iptables -A FORWARD -p icmp -j ACCEPT -m state --state RELATED
iptables -A OUTPUT -p tcp -j ACCEPT -m state --state ESTABLISHED
iptables -A OUTPUT -p udp -j ACCEPT -m state --state ESTABLISHED
iptables -A OUTPUT -p icmp -j ACCEPT -m state --state ESTABLISHED
iptables -A OUTPUT -p tcp -j ACCEPT -m state --state RELATED
iptables -A OUTPUT -p icmp -j ACCEPT -m state --state RELATED

iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 20 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 21 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 22 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 25 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 80 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 110 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 143 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 443 --syn -j ACCEPT
iptables -I INPUT -p tcp -s 0/0 -d $EXT --destination-port 53 --syn -j ACCEPT
iptables -I INPUT -p udp -s 0/0 -d $EXT --destination-port 53 -j ACCEPT

#LAN
TCP_OUT_ALLOW=20,21,22,25,53,80,110,119,443,1110,1550,6346,8074,8080
UDP_OUT_ALLOW=20,21,22,25,53,110,119,123,1110,6346
iptables -A OUTPUT -o eth0 -p tcp -j ACCEPT -m state --state NEW -m multiport --destination-port $TCP_OUT_ALLOW
iptables -A OUTPUT -o eth0 -p udp -j ACCEPT -m state --state NEW -m multiport --destination-port $UDP_OUT_ALLOW
iptables -A FORWARD -o eth0 -p tcp -j ACCEPT -m state --state NEW -m multiport --destination-port $TCP_OUT_ALLOW
iptables -A FORWARD -o eth0 -p udp -j ACCEPT -m state --state NEW -m multiport --destination-port $UDP_OUT_ALLOW

#MASQ
iptables -t filter -A FORWARD -s 10.11.0.0/255.255.255.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 10.11.0.0/255.255.255.0 -j ACCEPT
iptables -t filter -A FORWARD -s 172.16.1.0/255.255.255.0 -d 0/0 -j ACCEPT
iptables -t filter -A FORWARD -s 0/0 -d 172.16.1.0/255.255.255.0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.11.0.0/24 -d 0/0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.1.0/24 -d 0/0 -j MASQUERADE


#DHCP
iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i eth2 -p udp --sport 68 --dport 67 -j ACCEPT

Hi

No comments about your script (yet), my comment is about the symptom: wget does not work with ftp URLs but other ftp client does...

For me it looks like one is using passive ftp and the other active ftp method to connect to the remote ftp server.

It also depends on the remote ftp server, someones does not support passive mode.

Please check this first out. What method is ncftp using? What method is using wget?

Also checkout ip_nat_ftp.o module, i think u need it because of the masquerade.

Hope this helps
Guillermo

Hi.

Thank you for answer. Situation which describe I tested from server, I did not test from local computers.
I added module ip_nat_ftp, to my script, but I have the still problems with ftp connection.

In my opinion I blocked something on firewall, but I dont know what is this.

Anyway, thank you for answer

Best regards.
/cubEE

Hello

Yes, you might have something blocking in your firewall setup but i just try discovering what.

I f u use lftp (have it?) you can switch from passive mode to active mode just typing:

set ftpassive-mode off

In regular ftp client just try pass to toggle the passive mode on/off..

Must of the documentation i read says that machines behind the firewall should use passive mode for ftp connections but that's where ftp_nat module comes in so in fact u should be able to do both with the right kernel modules.

My firsts comments about your script:

Line : iptables -F
Line: iptables -t filter -F

These are redundants. filter tables is the default table.

Guillermo

One comment , i can't see your policy definition for nat table chains so i assume is just ACCEPT.

Hello,

I am sure, problem is with my rules in firewall script, so I am must improve it. Thank you a lot for ansewers and attention.

Best regards.

cubEE

ps.
I use a lftp

Hi

Normally if i have a problem with my firewall scripts, i do first a trace of the connection i'm trying to achieve. After that it will become easier to debug your script (and modules) of your firewall.

What i use is iptraf. I log to a file and then analyze what went wrong.

I suggest u to do the same first no matter where the ftp connection is coming from.
U can ulse tcpdump.

regards

Guillermo

Hey, not being critical here, I just thought I could offer a few tips for helping to make your script more readable.

Firstly, shorten up some of the commands...
ipt=/sbin/iptables
ext=eth0
int=eth1
then use $ipt to kick off your rules and $int or $ext to reference your cards

Try using some other scripting techniques to help 'clean it up'. For instance, if you want to accept a whole list of ports, try this.

# Allow these ports (hypothetical ports... don't just copy this list)
goodports="20 21 22 28 45 145 888 2005 25224"
for p in $goodports
do
$ipt -A INPUT -i $ext -p tcp --dport $p -j ACCEPT
done

In this way, you can add or remove ports without mussing with lines of code and it's much easier on the eyes and brain to read.

Uhm... what else? Set your policies and flush, delete and zero the counters all in one swoop.
# Set policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done

And my biggest thing is structure... call me anal, but I think that structure really helps a reader formulate what the firewall is supposed to look like in the end.

Generally, I do this:

#setup variables
#set polices, flush/delete/zero tables
#setup utility tables (examples...)
#1. BAD_IP (drop bad IP's
#1. SPOOF_CHECK (Check for bad IP's)
#setup user tables... at a minimum, usually I don't bother with the OUTPUT table.
#1. IN_NETWORK (all traffic forwarded into the network)
#2. OUT_NETWORK (all traffic forwarded out of the network)
#3. IN_FIREWALL (all traffic into THIS machine)
#setup main rules
#accept all LO traffic...
#Pass all inbound connections to IN_FIREWALL
#Pass forwarded connections to either OUT_NETWORK or IN_NETWORK depending on the direction.
#Turn on Masquerading if required.

I hope this helps in your search for learning about firewalls.

Now, I'll read through your script to see if I can see the problem... wish me luck.

I spent some time re-writing your firewall (mostly as an exercise for me 'cause it's been a while since I looked at mine) and I *was* going to post it but a power outage 5 minutes ago decided that it was a bad idea for me to keep that information. *grrr*

Until I find some more tme to do it over, you'll have to wait. Until then, you should seriously take a look at this section.
Why this section? Well... you don't have any tables that handle spoofed IP addresses and you allow your computer to forward ALL traffic from 10.11.0.0 to go anywhere! *eek* Remember that in iptables, forwarded traffic DOES NOT get processed by the INPUT table. So, I could spoof my 10.11.0.0 address and then use your firewall to forward all my traffic. *eek* It also allows ALLLL traffic to be forwarded from the internet directly to those internal machines! That should never be the case.

#!/bin/sh
#
# Firewall script for cubee v0.1
# nov.16.2003 - jordan_harkness @ hotmail.com
#
# By design...
# . We drop all INPUT and FORWARD packets by default to deter DOS attacks
# . We allow all OUTPUT packets because there is usually no reason to stop them
# . We allow all loopback connections
# . We allow all internal connections to this host
# . We allow only new external connections to this host on the specified tcp/udp ports
# . We allow only related and established external connections to this host
# . We allow all external ICMP connections to this host
# . We allow all internal connections to external hosts
# . We allow only established and related external connections to internal hosts
# . We deny all external spoofed connections
# . We deny all external invalid connections
# . We do logging... comment it out if it's too much.

echo "1" > /proc/sys/net/ipv4/ip_forward

##########################
# !!! WARNING !!! #
# Be Precise or reboot #
##########################
ext1=eth2 # External NIC #
int1=eth0 # Internal NIC #
int2=eth1 # Internal NIC #
##########################

# Constants
ipt="/sbin/iptables"
logops="--log-level=3 -m limit --limit 1/second --limit-burst 10"
spoofed="0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12
192.168.0.0/16 255.255.255.255"
# Ports open on the firewall. These are only for NEW connections
ok_ext_tcp_ports="21 22 25 53 80 110 143 443"
ok_ext_udp_ports="53"

# Set policies
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT

# Delete table rules, chains and counters
for table in filter nat mangle
do
$ipt -t $table -F # flush
$ipt -t $table -X # delete
$ipt -t $table -Z # zero
done

# Log bad IP
$ipt -N BAD_IP
$ipt -A BAD_IP -j LOG --log-prefix "IPT: BAD IP: " $logops
$ipt -A BAD_IP -j DROP
# Spoofed IP chain
$ipt -N SPOOF
for spf in $spoofed
do
$ipt -A SPOOF -s $spf -j BAD_IP
done

# Packets into network
$ipt -N IN_NETWORK
$ipt -A IN_NETWORK -s 0/0 -d 0/0 -m state --state INVALID -j DROP
$ipt -A IN_NETWORK -j SPOOF
$ipt -A IN_NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_NETWORK -j LOG --log-prefix "IPT: IN_NETWORK: " $logops
$ipt -A IN_NETWORK -j DROP

# Packets out of network
$ipt -N OUT_NETWORK
$ipt -A OUT_NETWORK -i $int1 -j ACCEPT
$ipt -A OUT_NETWORK -i $int2 -j ACCEPT
$ipt -A OUT_NETWORK -j LOG --log-prefix "IPT: OUT_NETWORK: " $logops
$ipt -A OUT_NETWORK -j DROP

# Packets entering firewall
$ipt -N IN_FIREWALL
$ipt -A IN_FIREWALL -s 0/0 -d 0/0 -m state --state INVALID -j DROP
$ipt -A IN_FIREWALL -j SPOOF
$ipt -A IN_FIREWALL -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_FIREWALL -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A IN_FIREWALL -p icmp -j ACCEPT
# Allow new connections to these TCP ports
for port_ok in $ok_ext_tcp_ports
do
$ipt -A IN_FIREWALL -p tcp -m state --state NEW -j ACCEPT
done
# Allow new connections to these UDP ports
for port_ok in $ok_ext_udp_ports
do
$ipt -A IN_FIREWALL -p udp -m state --state NEW -j ACCEPT
done

# Main Rules
$ipt -A INPUT -i lo -j ACCEPT # Allow all connections via loopback
$ipt -A INPUT -i $int1 -j ACCEPT
$ipt -A INPUT -i $int2 -j ACCEPT
$ipt -A INPUT -i $ext1 -j IN_FIREWALL

$ipt -A FORWARD -i $ext1 -j IN_NETWORK
$ipt -A FORWARD -i $int1 -j OUT_NETWORK
$ipt -A FORWARD -i $int2 -j OUT_NETWORK

# Turn on Masquerading
$ipt -t nat -A POSTROUTING -o $ext1 -j MASQUERADE

I am having this problem as well and I think that its because the FTP server tries to change the port when doing different transfers... watching my ftp i can connect but not do anything after that... any ideas why

You are both likely experiencing problems with active mode (standard mode) ftp. Keep in mind that when using active mode transfers the SERVER initiates the data connection while you only initiate the command connection.

Try switching to passive mode.

Ok im brand new to Linux and just installed SuSe pro v9, can someone direct on where or how to get a firewall up & running ? thanks
Fp

You should post your question as a new thread rather than appending it at the bottom of someone else's request. It will increase your chances of receiving a reply.

There are tonnes and tonnes of resources available on this subject. Try these links to help you get started with your search...
http://www.google.com
http://www.linuxdoc.org
http://www.linuxquestions.org/questions/search.php

Judging by your nondescript, generic question, I suspect you are not doing this for business and are a typical home user. Try this link.
http://www.linuxquestions.org/questi...hreadid=121379

look into:
IPTABLES

if u have a specific problem/question re-post

there are HEAPS of posts on iptables

thank you Jordan,chris, but I did'nt want to start another thread so I apologize for that, next time I know.