Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-15-2002, 06:59 PM
|
#1
|
|
LQ Newbie
Registered: Dec 2002
Location: San Francisco, CA, USA
Distribution: LFS, Splack, Redhat 6.2
Posts: 5
Rep: 
|
ip_conntrack_ftp... I can't get PASSV ftp?
Hey folks. I have been playing around with ipchains. I seem to be running into a problem getting passv ftp connections out and I was wondering if anybody can point out to me where I went wrong.
This is the configuration for one box that has 3 nic's.
eth0 -> 192.168.1.0/24 ***$INET_IP: $HOST_SARAH, the gateway to the internet is on this network too.
eth1 -> 172.16.64.0/18 *** $LAN_IP_1, $HOST_LX
eth2 -> 172.16.128.0/18 *** $LAN_IP_2, $HOST_CL
I think I am missing something with the conntrack stuff, because I need to enable both echo requests and replies (8 and 0), as well as let DNS service both to and from the internet DNS's (none on my side).
Anywase, here it goes:
[code]
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Set policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# My chains
#
$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N allow_hosts
$IPTABLES -N allow_hosts_d
$IPTABLES -N allow_hosts_allow
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#######################
# content of My chains
#
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
# allowed chain
#
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# allow FROM hosts (allow_hosts chain)
#
$IPTABLES -A allow_hosts -p ALL -s $HOST_LX -j ACCEPT
$IPTABLES -A allow_hosts -p ALL -s $HOST_CL -j ACCEPT
$IPTABLES -A allow_hosts -p ALL -s $HOST_SARAH -j ACCEPT
$IPTABLES -A allow_hosts -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A allow_hosts -p ALL -s $LAN_IP_1 -j ACCEPT
$IPTABLES -A allow_hosts -p ALL -s $LAN_IP_2 -j ACCEPT
#
# allow TO (allow_hosts_d chain)
#
$IPTABLES -A allow_hosts_d -p ALL -d $HOST_LX -j ACCEPT
$IPTABLES -A allow_hosts_d -p ALL -d $HOST_CL -j ACCEPT
$IPTABLES -A allow_hosts_d -p ALL -d $HOST_SARAH -j ACCEPT
$IPTABLES -A allow_hosts_d -p ALL -d $INET_IP -j ACCEPT
$IPTABLES -A allow_hosts_d -p ALL -d $LAN_IP_1 -j ACCEPT
$IPTABLES -A allow_hosts_d -p ALL -d $LAN_IP_2 -j ACCEPT
#
#(allow_hosts_allow chain) allow TO hosts, depending on STATE (allowed chain)
#
$IPTABLES -A allow_hosts_allow -p ALL -d $HOST_LX -j allowed
$IPTABLES -A allow_hosts_allow -p ALL -d $HOST_CL -j allowed
$IPTABLES -A allow_hosts_allow -p ALL -d $HOST_SARAH -j allowed
$IPTABLES -A allow_hosts_allow -p ALL -d $INET_IP -j allowed
$IPTABLES -A allow_hosts_allow -p ALL -d $LAN_IP_1 -j allowed
$IPTABLES -A allow_hosts_allow -p ALL -d $LAN_IP_2 -j allowed
#
# tcp_packets chain
#
# allow these ports FROM HOSTS
$IPTABLES -A tcp_packets -p TCP --dport 22 -j allow_hosts
$IPTABLES -A tcp_packets -p TCP --dport 80 -j allow_hosts
$IPTABLES -A tcp_packets -p TCP --dport 21 -j allow_hosts
#$IPTABLES -A tcp_packets -p TCP --dport 20 -j allow_hosts
# allow these ports FROM $INET_IP
$IPTABLES -A tcp_packets -p TCP --dport 110 -s $INET_IP -j ACCEPT
$IPTABLES -A tcp_packets -p TCP --dport 25 -s $INET_IP -j ACCEPT
# allow everything ESTABLISHED,RELATED TO all hosts
$IPTABLES -A tcp_packets -p TCP -j allow_hosts_allow
#
# udpincoming_packets
#
# in and out for hosts on both dns addresses
$IPTABLES -A udpincoming_packets -p UDP \
--dport 53 -d 206.13.28.12 -j allow_hosts
$IPTABLES -A udpincoming_packets -p UDP \
--dport 53 -d 206.13.29.12 -j allow_hosts
#Do I need this?
$IPTABLES -A udpincoming_packets -p UDP \
--sport 53 -s 206.13.28.12 -j allow_hosts_d
$IPTABLES -A udpincoming_packets -p UDP \
--sport 53 -s 206.13.29.12 -j allow_hosts_d
#
# icmp_packets
#
# Do I need both 8 and 0?
$IPTABLES -A icmp_packets -p ICMP -m limit --limit 3/minute \
--icmp-type 8 -j allow_hosts
$IPTABLES -A icmp_packets -p ICMP -m limit --limit 3/minute \
--icmp-type 0 -j allow_hosts
$IPTABLES -A icmp_packets -p ICMP -m limit --limit 3/minute \
--icmp-type 8 -j allow_hosts_d
$IPTABLES -A icmp_packets -p ICMP -m limit --limit 3/minute \
--icmp-type 0 -j allow_hosts_d
######## user-specified strings made
# INPUT CHAIN
$IPTABLES -A INPUT -p TCP -j bad_tcp_packets
#allow ESTABLISHED,RELATED TO for HOSTS
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED \
-j allow_hosts_d
#allow ESTABLISHED,RELATED FROM hosts:
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED \
-j allow_hosts
$IPTABLES -A INPUT -i eth0 -p TCP -j tcp_packets
$IPTABLES -A INPUT -i eth0 -p UDP -j udpincoming_packets
$IPTABLES -A INPUT -i eth0 -p ICMP -j icmp_packets
$IPTABLES -A INPUT -i eth1 -p TCP -j tcp_packets
$IPTABLES -A INPUT -i eth1 -p UDP -j udpincoming_packets
$IPTABLES -A INPUT -i eth1 -p ICMP -j icmp_packets
$IPTABLES -A INPUT -i eth2 -p TCP -j tcp_packets
$IPTABLES -A INPUT -i eth2 -p UDP -j udpincoming_packets
$IPTABLES -A INPUT -i eth2 -p ICMP -j icmp_packets
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# FORWARD chain
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED \
-j allow_hosts_d
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED \
-j allow_hosts
$IPTABLES -A FORWARD -p TCP -j tcp_packets
$IPTABLES -A FORWARD -p UDP -j udpincoming_packets
$IPTABLES -A FORWARD -p ICMP -j icmp_packets
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# OUTPUT chain
#
# These don't seem to do anything:
#$IPTABLES -A INPUT -p ALL \
#-m state --state ESTABLISHED,RELATED -j allow_hosts_d
#$IPTABLES -A INPUT -p ALL \
#-m state --state ESTABLISHED,RELATED -j allow_hosts
$IPTABLES -A OUTPUT -p TCP -j bad_tcp_packets
$IPTABLES -A OUTPUT -p TCP -j tcp_packets
$IPTABLES -A OUTPUT -p UDP -j udpincoming_packets
$IPTABLES -A OUTPUT -p ICMP -j icmp_packets
#Do this in 'tcp_packets'
#$IPTABLES -A OUTPUT -p TCP --dport 25 -s $INET_IP -j ACCEPT
#$IPTABLES -A OUTPUT -p TCP --dport 110 -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
######
# nat table
#
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $INET_IP
$IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $LAN_IP_1
$IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to-source $LAN_IP_2
######
# mangle table
#
#
# TURN ON FORWARDING
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#################################################
Well, If anybody can give me any kind of a suggestion, it would be welcome.
|
|
|
|
|
12-15-2002, 10:18 PM
|
#2
|
|
Member
Registered: Feb 2002
Location: Orlando
Distribution: Whatever I feel like at the time I install.
Posts: 284
Rep: 
|
I think it has something to do with your forwarding rules. The only thing I could tell that was different from my script was that your default policy for forward was drop and mine is accept. You may want to try that quick fix and see if that will allow you to do the PassV connections. I know that I currently have an ftp server running on this machine behind a linux router/firewall and the only way ppl can connect is via PassV mode.
|
|
|
|
|
12-16-2002, 02:28 AM
|
#3
|
|
LQ Newbie
Registered: Dec 2002
Location: San Francisco, CA, USA
Distribution: LFS, Splack, Redhat 6.2
Posts: 5
Original Poster
Rep:
|
Thanks for the tip. You're right... I think it did have something to to with FORWARD. I started from a clean slate again, now I've got what I want (in a lot less chains 
Now I'm wondering if this site is so slow b/c of my firewall? Is everybody getting such slow connetctions?
p.s.- www.iptables.org/security/2001-04-16-ftp.html -pasv hole
Last edited by satellite; 12-16-2002 at 02:31 AM.
|
|
|
|
All times are GMT -5. The time now is 03:23 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
