From: "Christian Gmeiner" <christian@visual-page.de>
To: netfilter@lists.netfilter.org
Subject: Problem with connection-tracking and FTP
Date: Tue, 20 Jan 2004 17:01:26 +0100 [thread overview]
Message-ID: <002001c3df6e$a97416e0$0600a8c0@blackbox> (raw)
[-- Attachment #1: Type: text/plain, Size: 4375 bytes --]
Hi everybody.
I am working on a little firewall script. Everything works just fine, but i dont get the ftp protocoll working.
I call this two function to get ftp working:
# ==================================
FTP()
{
ebegin "Seting rules for active/passive FTP"
# Port 21
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# aktiv
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# passiv
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
eend $?
}
# ==================================
loadmodules()
{
ebegin "Try to load needed modules"
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ipt_ULOG
eend $?
}
An here my start function
# ==================================
start()
{
ebegin "Starting Firewall"
loadmodules
einfo "Setting default rules to drop"
iptables -F
iptables -X
iptables -Z
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
acceptlocal
portscan
proc
iana
illigalpackages
spoofing
FTP
# set rules
InOutTCP
InTCP
OutTCP
InOutUDP
InUDP
OutUDP
# Erlaube dem Client routen durch NAT (Network Address Translation
iptables -t nat -A POSTROUTING -o ${EXT_INT} -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
eend $? "Failed to start Firewall"
}
And here are the ports i allow with the function InOut*, In*, Out*,...
# TCP in+out
#
TCP_IN_OUT="ssh 10000 smtp pop3 http https"
# TCP out
#
# 5190 = ICQ
#
TCP_OUT="5190 http https irc 25 ftp ftp-data"
# TCP in
#
TCP_IN=""
# UDP in+out
#
UDP_IN_OUT="domain ssh 10000 pop3 ssh"
# UDP out
#
UDP_OUT="https irc"
# UDP in
#
UDP_IN=""
Oh and here some important functions:
# ==================================
InOutTCP()
{
ebegin "Allowing in and outbound TCP-traffic"
for i in ${TCP_IN_OUT}
do
einfo " <-> Seting TCP "in" and "out" rules for ${i}"
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} --dport 1024: -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -d ${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
# ==================================
OutTCP()
{
ebegin "Allowing outbound TCP-traffic"
for i in ${TCP_OUT}
do
einfo " <-> Seting TCP "out" rules for ${i}"
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -m state --state ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED
iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -d ${LAN} -m state --state ESTABLISHED,RELATED
done
eend $?
}
I hope somebody can help me.
Thanks, Christian Gmeiner
[-- Attachment #2: Type: text/html, Size: 8096 bytes --]
next reply other threads:[~2004-01-20 16:01 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-20 16:01 Christian Gmeiner [this message]
2004-01-21 5:32 ` Problem with connection-tracking and FTP Mark E. Donaldson
2004-01-21 11:58 ` Christian Gmeiner
2004-01-21 14:43 ` Caracal - G. Hostettler
2004-01-22 2:12 ` Mark E. Donaldson
2004-01-22 2:38 ` Recomendations for replacing a Raptor (Symantec Enterprise) firewall Brad Morgan
2004-01-22 10:56 ` bino-psn
2004-01-22 6:45 ` Problem with connection-tracking and FTP Arnt Karlsen
2004-01-22 8:14 ` Christian Gmeiner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002001c3df6e$a97416e0$0600a8c0@blackbox' \
--to=christian@visual-page.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.