|
iptables and passive ftp behind NAT
Ok, im posting this again because ive changed ports for my ftp and am using ssl now. slack 9 2.4.22 w/ iptables 1.2.8. I use RaidenFTPD on a winXP home SP1. if someone connects to me with passive enabled it dies at LIST -al. heres the script, iptables -nvL, and lsmod.
# # set a few variables make BINDIR=/usr/local/bin LIBDIR=/usr/local/lib MANDIR=/usr/local/manecho "" export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin echo " setting global variables" echo "" iptables="/usr/local/sbin/iptables" # adjust /proc echo " applying general security settings to /proc filesystem" echo "" if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi # load some modules /sbin/depmod -a if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp port=444; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then modprobe ip_tables; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack.o ]; then modprobe ip_conntrack; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.o ]; then modprobe iptable_filter; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_mangle.o ]; then modprobe iptable_mangle; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_nat.o ]; then modprobe iptable_nat; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_LOG.o ]; then modprobe ipt_LOG; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_limit.o ]; then modprobe ipt_limit; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_state.o ]; then modprobe ipt_state; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_mac.o ]; then modprobe ipt_mac; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_owner.o ]; then modprobe ipt_owner; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REJECT.o ]; then modprobe ipt_REJECT; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o ]; then modprobe ipt_MASQUERADE; fi # flush any existing chains and set default policies $iptables -F INPUT $iptables -F OUTPUT $iptables -P INPUT DROP $iptables -P OUTPUT ACCEPT # setup nat echo " applying nat rules" echo "" $iptables -F FORWARD $iptables -F -t nat $iptables -P FORWARD DROP $iptables -A FORWARD -i eth1 -j ACCEPT $iptables -A INPUT -i eth1 -j ACCEPT $iptables -A OUTPUT -o eth1 -j ACCEPT $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 220.57.120.22 # allow all packets on the loopback interface $iptables -A INPUT -i lo -j ACCEPT $iptables -A OUTPUT -o lo -j ACCEPT # allow established and related packets back in $iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # blocking reserved private networks incoming from the internet echo " applying incoming internet blocking of reserved private networks" echo "" $iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP $iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP $iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP $iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP $iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP $iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP # blocked hosts echo " dropping all packets from blocked hosts" echo "" $iptables -I INPUT -s 192.168.0.1 -j DROP $iptables -I FORWARD -s 192.168.0.1 -j DROP # icmp echo " applying icmp rules" echo "" $iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT $iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP # apply icmp type match blocking echo " applying icmp type match blocking" echo "" $iptables -I INPUT -p icmp --icmp-type redirect -j DROP $iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP $iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP $iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP # open ports to the firewall echo " applying the open port(s) to the firewall rules" echo "" $iptables -A INPUT -p tcp --dport 20 -j ACCEPT $iptables -A INPUT -p tcp --dport 21 -j ACCEPT $iptables -A INPUT -p tcp --dport 444 -j ACCEPT $iptables -A INPUT -p tcp --dport 4900:5100 -j ACCEPT $iptables -A INPUT -p tcp --dport 4662 -j ACCEPT $iptables -A INPUT -p tcp --dport 4661 -j ACCEPT $iptables -A INPUT -p udp --dport 4665 -j ACCEPT # open and forward ports to the internal machine(s) echo " applying port forwarding rules" echo "" $iptables -A FORWARD -i eth0 -p tcp --dport 444 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 444 -j DNAT --to-destination 10.0.0.2:444 $iptables -A FORWARD -i eth0 -p tcp --dport 20 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 20 -j DNAT --to-destination 10.0.0.2:20 $iptables -A FORWARD -i eth0 -p tcp --dport 4662 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4662 -j DNAT --to-destination 10.0.0.2:4662 $iptables -A FORWARD -i eth0 -p tcp --dport 4661 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4661 -j DNAT --to-destination 10.0.0.2:4661 $iptables -A FORWARD -i eth0 -p udp --dport 4665 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p udp -d 220.57.120.22 --dport 4665 -j DNAT --to-destination 10.0.0.2:4665 $iptables -A FORWARD -i eth0 -p tcp --dport 4900:5100 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4900:5100 -j DNAT --to-destination 10.0.0.2:4900:5100 # logging echo " applying logging rules" echo "" $iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: " $iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: " # drop all other packets echo " applying default drop policies" echo "" $iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP $iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP Chain INPUT (policy DROP 12 packets, 336 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 18 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 17 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 10 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 9 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 5 0 0 DROP all -- * * 192.168.0.1 0.0.0.0/0 0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0 0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0 2670 156K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 1 144 ACCEPT all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 106 9752 DROP icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:433:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:444 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4661 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4665 492 21404 LOG tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 tcp LOG flags 0 level 4 prefix `tcp connection: ' 19 5063 LOG udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 udp LOG flags 0 level 4 prefix `udp connection: ' 523 22768 DROP tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp 19 5063 DROP udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp Chain FORWARD (policy DROP 2 packets, 1469 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 192.168.0.1 0.0.0.0/0 0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0 0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0 0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0 106K 31M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0 109K 75M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:433:443 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:444 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4662 0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4661 0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4665 Chain OUTPUT (policy ACCEPT 2 packets, 151 bytes) pkts bytes target prot opt in out source destination 2121 263K ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW Module Size Used by Not tainted ipt_MASQUERADE 2072 0 (unused) ipt_REJECT 3512 0 (unused) ipt_owner 1784 0 (unused) ipt_mac 632 0 (unused) ipt_state 568 4 ipt_limit 1016 2 ipt_LOG 3480 2 iptable_mangle 2136 0 (unused) iptable_filter 1740 1 ip_nat_ftp 3728 0 (unused) ip_conntrack_ftp 4592 1 [ip_nat_ftp] ip_nat_irc 2704 0 (unused) iptable_nat 25720 3 [ipt_MASQUERADE ip_nat_ftp ip_nat_irc] ip_tables 16512 12 [ipt_MASQUERADE ipt_REJECT ipt_owner ipt_mac ipt_state ipt_limit ipt_LOG iptable_mangle iptable_filter iptable_nat] ip_conntrack_irc 3312 1 [ip_nat_irc] ip_conntrack 33416 4 [ipt_MASQUERADE ipt_state ip_nat_ftp ip_conntrack_ftp ip_nat_irc iptable_nat ip_conntrack_irc] epic100 14124 1 3c59x 28752 1 any help would be greatly apperciated. i have the data ports set to 4900-5100 in RaidenFTPD so they should hit it, but they dont. |
You might want to try adding some logging rules, esp. around all the rules that handle the ftp ports and forwarding rules. That way you'll at least have a better idea of where the packets are going (or aren't going). I'm assuming they're not being caught by the log rules before the final packet dump at the end of the script.
Also try using the -v option with the ftp client when you connect to see if that is informative at all. HTH |
well, that didnt help a whole lot. only, i notice something. sometimes the pasv will take and sometimes it wont. example:
i connect and start a transfer on 4900, then the file finishes and it starts to grab the next but the pasv port times out again. im lost here....... |
There are a lot of unnecessary rules here... try pruning it down to a bare minimum first then add logging rules to catch the DROP points... eg,
# set a few variables make BINDIR=/usr/local/bin LIBDIR=/usr/local/lib MANDIR=/usr/local/manecho "" export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin echo " setting global variables" echo "" iptables="/usr/local/sbin/iptables" All this is unnecessary unless you call the variables later, (which isn't happening). They should be set outside of iptables... Notice the extra typing just to define the word iptables which exists in the normal PATH anyway... # adjust /proc echo " applying general security settings to /proc filesystem" echo "" if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi A lot of extra text just to do this.. sysctl -w net.ipv4.tcp_syncookies=1 sysctl -w net.ipv4.conf.all.rp_filter=1 sysctl -w net.ipv4.ip_forward=1 # load some modules /sbin/depmod -a if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp port=444; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.o ]; then modprobe ip_tables; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack.o ]; then modprobe ip_conntrack; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_filter.o ]; then modprobe iptable_filter; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_mangle.o ]; then modprobe iptable_mangle; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/iptable_nat.o ]; then modprobe iptable_nat; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_LOG.o ]; then modprobe ipt_LOG; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_limit.o ]; then modprobe ipt_limit; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_state.o ]; then modprobe ipt_state; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_mac.o ]; then modprobe ipt_mac; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_owner.o ]; then modprobe ipt_owner; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_REJECT.o ]; then modprobe ipt_REJECT; fi if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_MASQUERADE.o ]; then modprobe ipt_MASQUERADE; fi Most of these modules load automatically with the rules, in the correct order and with correct dependencies.. Try... insmod ip_conntrack_ftp insmod ip_nat_ftp insmod ip_conntrack_irc insmod ip_nat_irc after all the rules have loaded. These ones require manual loading. # flush any existing chains and set default policies $iptables -F INPUT $iptables -F OUTPUT $iptables -P INPUT DROP $iptables -P OUTPUT ACCEPT Missing the nat & mangle tables & chain deletes !! Try... iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # setup nat echo " applying nat rules" echo "" $iptables -F FORWARD $iptables -F -t nat done above... $iptables -P FORWARD DROP $iptables -A FORWARD -i eth1 -j ACCEPT shouldn't be first rule. General rules come last... $iptables -A INPUT -i eth1 -j ACCEPT $iptables -A OUTPUT -o eth1 -j ACCEPT Unnecessary. You already have an ACCEPT policy... $iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT This should be the first rule to get ip_conntrack working.. try iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j SNAT --to-source 220.57.120.22 # allow all packets on the loopback interface $iptables -A INPUT -i lo -j ACCEPT $iptables -A OUTPUT -o lo -j ACCEPT Unnecessary with a default ACCEPT # allow established and related packets back in $iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # blocking reserved private networks incoming from the internet echo " applying incoming internet blocking of reserved private networks" echo "" $iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP $iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP $iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP $iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP $iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP $iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP All this is handled by the rp_filter... # blocked hosts echo " dropping all packets from blocked hosts" echo "" $iptables -I INPUT -s 192.168.0.1 -j DROP $iptables -I FORWARD -s 192.168.0.1 -j DROP Where would these packets come from? Prob unneccessary rules... # icmp echo " applying icmp rules" echo "" $iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT default Accept policy! $iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP Are you sure you want to do this? # apply icmp type match blocking echo " applying icmp type match blocking" echo "" $iptables -I INPUT -p icmp --icmp-type redirect -j DROP $iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP $iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP $iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP Check the tutorial for a much tidier way... # open ports to the firewall echo " applying the open port(s) to the firewall rules" echo "" $iptables -A INPUT -p tcp --dport 20 -j ACCEPT $iptables -A INPUT -p tcp --dport 21 -j ACCEPT $iptables -A INPUT -p tcp --dport 444 -j ACCEPT $iptables -A INPUT -p tcp --dport 4900:5100 -j ACCEPT $iptables -A INPUT -p tcp --dport 4662 -j ACCEPT $iptables -A INPUT -p tcp --dport 4661 -j ACCEPT $iptables -A INPUT -p udp --dport 4665 -j ACCEPT Do you have servers on the firewall that need these rules? # open and forward ports to the internal machine(s) echo " applying port forwarding rules" echo "" $iptables -A FORWARD -i eth0 -p tcp --dport 444 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 444 -j DNAT --to-destination 10.0.0.2:444 $iptables -A FORWARD -i eth0 -p tcp --dport 20 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 20 -j DNAT --to-destination 10.0.0.2:20 $iptables -A FORWARD -i eth0 -p tcp --dport 4662 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4662 -j DNAT --to-destination 10.0.0.2:4662 $iptables -A FORWARD -i eth0 -p tcp --dport 4661 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4661 -j DNAT --to-destination 10.0.0.2:4661 $iptables -A FORWARD -i eth0 -p udp --dport 4665 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p udp -d 220.57.120.22 --dport 4665 -j DNAT --to-destination 10.0.0.2:4665 $iptables -A FORWARD -i eth0 -p tcp --dport 4900:5100 -j ACCEPT $iptables -t nat -A PREROUTING -i eth0 -p tcp -d 220.57.120.22 --dport 4900:5100 -j DNAT --to-destination 10.0.0.2:4900:5100 Recommended don't use the -d x.x.x.x in the PREROUTING chain. If you only have 1 ip address, it adds a lot more computing time to each packet for no reason. # logging echo " applying logging rules" echo "" $iptables -A INPUT -i eth0 -p tcp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "tcp connection: " $iptables -A INPUT -i eth0 -p udp -m limit --limit 1/s --dport 0:65535 -j LOG --log-prefix "udp connection: " Where are the logging rules for the FORWARD chain? Also, each packet getting logged here is because there isn't a matching ACCEPT rule. Don't you want to know what is really happening? I'd recommend adding LOG rules in nat PREROUTING too, eg iptables -t nat -I PREROUTING -i eth0 -j LOG --log-prefix "Incoming_nat " to get the first packet of any connection logged. # drop all other packets echo " applying default drop policies" echo "" $iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP $iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP Unnecessary. This is your default policy... Better to have a LOG rule as the last rule here to catch what is missed by the other rules.. eg iptables -A INPUT -j LOG --log-prefix "Dropped " iptables -A FORWARD -j LOG --log-prefix "Dropped " & what about dns packets? Try... iptables -I INPUT -p udp --sport 53 -j ACCEPT iptables -I FORWARD 3 -p udp --sport 53 -j ACCEPT A recommended tutorial Sorry if I come across quite critical, but it looks like you've got a script that hasn't been well thought out, as I have commented on. Prob better to go back to square 1 and find good reasons to add rules. Get the "setting up nat" section working first then the DNATs then the filtering then the default policies, working from the LOG file outputs, if you wish to build from scratch. |
i am running an ftp server behind the firewall, that cannot have passive connection made, they all time out. thats why im trying to get this working. the script was made with quicktables (not very good from what i hear now) but i get totally lost when i read the faqs. i need it to be broken down to a morons level before i understand it.
|
Recommended iptables tutorial.
This explains why rules are made. You can cheat and use one of the scripts at the end of the tutorial, then work out which part does which function. :) Usually Win based servers run slowly coz they can't get the dns services to connect... |
dont suppose you'd be interested in writing a script for me? ;) thanks for the help, ill try to get through the tutorial and hopefully come out with a script that can get the passive connecting.
|
When you put together your script, keep in mind a couple of things:
Think through how you want to design your firewall beforehand. Put a considerable amount of thought on what your default policies will be for each "chain", as this will dictate the kinds of rules you'll have to include. In general, if you use a default policy of DROP, you'll then have to go through and specifically allow the traffic you want through. This is a good choice in terms of security, but it can make networking a little more difficult. A default policy of ACCEPT has exactly the opposite characteristics and can open up huge holes in your firewall if you forget to specifically block something. Try to keep your firewall script as simple as you can. It will make troubleshooting your script alot easier. If you look at the script you posted and the notes that peter_robb posted on it, you'll notice that you have way too many duplicate rules in there. When you actually implement your script, do it in stages. That way you'll get a better idea of what rules are causing problems or not doing what you think they should. If you throw everything including the kitchen sink in there at once, then you won't have a clue as to what the problem might be. Start with the basics, lock down all unnecessary traffic first and get the firewall machine functioning, then start forwarding the ports you need to the other machines. Using ethereal to sniff packets from your network at this point can be a really big help here in seeing if they're are getting forwarded properly. Focus on getting one service working at a time in this manner. If you need help, don't be afraid to ask. But at least show that you are putting some effort into it before you post. There are alot of good how-tos at www.tldp.org and www.netfilter.org . Alot of people find the frozenTux tutorial (the one peter_robb posted) to be helpful as well. The iptables man page has an extensive amount of info on what all the flags and extensions do and is an often overlooked resource. |
| All times are GMT -5. The time now is 07:31 AM. |