LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-12-2005, 12:45 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,171

Rep: Reputation: 60
Iptables


I have a suse linux firewall router connected to a dlink wireless router and three computer connected to it. My network works fine and I can get to the internet and browse with no problem. I am able to download things through http but not ftp and I have done the basic command like IP fowarding and MASQ. Can somebody give me some basic yet secure iptable rules to where I can ftp download, http download and etc to all of my workstation on my network but not sacrifice security and the same time
 
Old 04-12-2005, 09:53 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
So are you having problems downloading files from ftp servers on the internet or is the ftp server running in your LAN and you'd like to be able to access it remotely?
 
Old 04-13-2005, 01:28 PM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,171

Original Poster
Rep: Reputation: 60
I cannot perform any FTP downloads from the internet but I can do everything else!
 
Old 04-13-2005, 01:31 PM   #4
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,171

Original Poster
Rep: Reputation: 60
These are the only commands that I am using in IPTABLES:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j ACCEPT

cat /proc/sys/net/ipv4/ip_forward

these are the only commands thatI am using for IPTABLES!
 
Old 04-13-2005, 07:38 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j ACCEPT
This rule is wrong. You should be rejecting traffic in the INVALID state, not accepting it. Depending on the rest of your rules, it should probably be:
iptables -A FORWARD -i ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
*A word of caution though, by allowing the NEW state and not limiting it to specific ports you are allowing anyone outside your network to make connections to systems inside the LAN.

cat /proc/sys/net/ipv4/ip_forward
I think this should be:
echo 1 > /proc/sys/net/ipv4/ip_forward

these are the only commands thatI am using for IPTABLES!
Are there other rules to your firewall besides those? Could you post the output of iptables -vnL and iptables -t nat -vnL? Without knowing the rest of your rules, most ftp clients should work fine over NAT as long as you are forwarding the ESTABLISHED and RELATED states.
 
Old 04-14-2005, 11:10 AM   #6
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,171

Original Poster
Rep: Reputation: 60
Here they go: iptables -vnL

Chain INPUT (policy ACCEPT 35251 packets, 19M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 609K packets, 506M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 38444 packets, 8537K bytes)
pkts bytes target prot opt in out source destination

Chain ftp_rule (0 references)
pkts bytes target prot opt in out source destination

iptables -t nat -vnL

Chain INPUT (policy ACCEPT 35251 packets, 19M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 609K packets, 506M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 38444 packets, 8537K bytes)
pkts bytes target prot opt in out source destination

Chain ftp_rule (0 references)
pkts bytes target prot opt in out source destination
Sludge:~ # iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 23303 packets, 2272K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 185 packets, 11252 bytes)
pkts bytes target prot opt in out source destination
12650 815K MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 1237 packets, 75799 bytes)
pkts bytes target prot opt in out source destination

there you have it. I dont think that I am even blocking anything!
 
Old 04-14-2005, 01:48 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
there you have it. I dont think that I am even blocking anything!

You're not blocking anything at all, so it isn't a problem with your firewall rules. Try loading the netfilter ftp modules:
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

When you try to connect out, do you get anything at all, like an ftp banner or authentication dialog?
 
Old 04-14-2005, 03:21 PM   #8
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,171

Original Poster
Rep: Reputation: 60
on my linux firewall/router I can ftp download ok and etc.. it is only from my workstations that I cannot. ex. downloading anti-virus updates via ftp. what will thos modules do?

modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

are these required?
and it this for tracking purposes?

forgive me for asking stupid question but if i dont I will never get to know the real linux. I am doing everything from command line and not using a gui. I am in the process of taking the LPI 1 & 2 exams. Security is my concentration of study after the LPI exams.
 
Old 04-15-2005, 11:55 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally posted by dabeast93
what will thos modules do?
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
are these required? and it this for tracking purposes?
Both of these modules allow iptables to keep track of the connection state. FTP is a rather odd protocol, in that you have 2 channels (control and data) which can vary depending on whether you are using active or passive ftp. Once the standard control channel is established over port 21, netfilter (iptables) doesn't really have any way to monitor which type of ftp you're using and therefore which port the data channel is going to occur and can confuse the NAT function of netfilter. The ip_conntrack_ftp and ip_nat_ftp were specifically written to monitor connections and pick out the PORT command used by ftp to establish the data channel. So basically these are "helper" modules.

Last edited by Capt_Caveman; 04-15-2005 at 11:56 PM.
 
Old 04-16-2005, 11:17 AM   #10
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,171

Original Poster
Rep: Reputation: 60
I will load these modules. Mr caveman can you please give a decent security iptables set of rules that I can allow ftp downloads only through my wireless clients.

P.S

when I see people refering to how they cant get there script to run I understand what that is but after I obtain a decent set of iptable how would I create a iptable script so that it will run every time I boot LINUX firewall/router?
 
Old 04-16-2005, 01:03 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I will load these modules. Mr caveman can you please give a decent security iptables set of rules that I can allow ftp downloads only through my wireless clients.
You'd need to describe your network in alot more detail, including which interfaces on the linux router are connected to the internet and which ones go to the LAN.

when I see people refering to how they cant get there script to run I understand what that is but after I obtain a decent set of iptable how would I create a iptable script so that it will run every time I boot LINUX firewall/router?
What linux distribution are you using?
 
Old 04-17-2005, 12:25 AM   #12
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,171

Original Poster
Rep: Reputation: 60
Here is my network!

dsl modem 192.168.1.1
'''
''''
Suse linux Router/Firewall two nics:Eth0 and ETH1
'''
'''
Dlink 624 wireless router/switch
''
''
2 Laptops

Suse 9.0 Linux Router/Firewall:

Eth0 (WAN interface)

BOOTPROTO='static'
MTU=''
IPADDRESS='192.168.1.2'
NETMASK='255.255.255.0'
NETWORK='192.168.1.0'
GATEWAY='192.168.1.1'
BROADCAST='192.168.1.255'
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='75Hn.wQq3lwZp4Y5'

Eth1 (LAN Interface which connects to the DLINK wireless router/switch WAN port)

BOOTPROTO='static'
IPADDRESS='192.168.2.1'
NETMASK='255.255.255.0'
NETWORK='192.168.2.0'
BROADCAST='192.168.2.255'
MTU=''
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='VeW7.KD56jqvp6D8'

DLINK router/firewall/switch

WAN interface

IP-192.168.2.2
SM-255.255.255.0
DG-192.168.2.1
DNS-ISP

LAN Interface
192.168.3.1
255.255.255.0




IP fowarding enabled:

Sludge:~ # cat /proc/sys/net/ipv4/ip_forward
1

and I am using SUSE Distro!
 
Old 04-17-2005, 02:02 PM   #13
comprookie2000
Gentoo Developer
 
Registered: Feb 2004
Location: Fort Lauderdale FL.
Distribution: Gentoo
Posts: 3,291
Blog Entries: 5

Rep: Reputation: 56
Most dsl modems have a firewall.You may need to configure that.
 
Old 04-18-2005, 01:28 PM   #14
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,171

Original Poster
Rep: Reputation: 60
I am trying to learn IPTABLES! I could setup my network in a different way like:

DSL
*
*
DLINK Firelwall Router
*
*
LINUX



but I choose not to for the sake of learning LINUX the in the best way!
 
Old 04-21-2005, 09:25 AM   #15
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,171

Original Poster
Rep: Reputation: 60
capt cavman

question

If I am not blocking anything then why cant any of my workstations download anything that is ftp?

I do not understand! You have examing my iptable entries so what are you thoughts! I booght a book from the oreilly collection and it is called " Linux administration handbook" I am reading it now. Is that a decent book for newbies!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 06:25 AM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 03:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 05:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 08:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration