From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Roman Gavrilov" Subject: iptables and ftp Date: Sat, 22 Feb 2003 22:20:11 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <023001c2daaf$cd19fe80$020010ac@romio> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_022D_01C2DAC0.90982020" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_022D_01C2DAC0.90982020 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Hello, My question is about ftp and ftp data connections. I know this subject has been heavily discussed but still ... I set up my firewall to allow connections to 21 and 20 ports. I also allowed connections to high ports from outside from port 20. and of course I enabled all established and related connections. But when ever I connect to my ftp server and issuing "ls" command it = stacks. In the firewall I see : Feb 22 04:07:46 hostname IN=3Deth0 OUT=3D = MAC=3D00:e0:18:d3:1b:4b:00:90:5f:0d:64:38:08:00 SRC=3Dsource ip = DST=3Dmy server ip LEN=3D60 TOS=3D00 PREC=3D0x00 TTL=3D53 ID=3D41512 DF = PROTO=3DTCP SPT=3D37070 DPT=3D21773 SEQ=3D3256137382 ACK=3D0 = WINDOW=3D5648 SYN URGP=3D0 SPT=3D37070 DPT=3D21773 looks strange to me. It seems that ftp data session is trying to establish connection from a = high port to a high port. SYN means that it trying to establish connection and of course it is = dropped by the firewall. There is no sense in allowing anything from outside to servers high = ports. I think that the client should issue a connect request from a high port = to servers 20 port. And then it should match the established connection. What can be the problem ? Thanks ------=_NextPart_000_022D_01C2DAC0.90982020 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
Hello,
 
My question is about ftp and ftp data=20 connections.
I know this subject has been heavily = discussed but=20 still ...
 
I set up my firewall to allow = connections to 21 and=20 20 ports.
 I also allowed connections to = high ports from=20 outside from port 20.
and of course I enabled all established = and related=20 connections.
 
 
But when ever I connect to my ftp = server and=20 issuing "ls" command it stacks.
In the firewall I see :
Feb 22 04:07:46 hostname IN=3Deth0 = OUT=3D=20 MAC=3D00:e0:18:d3:1b:4b:00:90:5f:0d:64:38:08:00  SRC=3Dsource = ip DST=3Dmy=20 server ip LEN=3D60 TOS=3D00 PREC=3D0x00 TTL=3D53 ID=3D41512 DF = PROTO=3DTCP SPT=3D37070=20 DPT=3D21773 SEQ=3D3256137382 ACK=3D0 WINDOW=3D5648 SYN = URGP=3D0
SPT=3D37070 DPT=3D21773 looks strange = to=20 me.
 
It seems that ftp data session is = trying to=20 establish connection from a high port to a high port.
SYN means that it trying to establish = connection=20 and of course it is dropped by the firewall.
There is no sense in allowing anything = from outside=20 to servers high ports.
 
I think that the client should issue a = connect=20 request from a high port to servers 20 port.
And then it should match the = established=20 connection.
 
What can be the problem ?
 
Thanks
 
------=_NextPart_000_022D_01C2DAC0.90982020-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Willi Dyck Subject: Re: iptables and ftp Date: Sat, 22 Feb 2003 00:51:33 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <20030221235133.GC412@tekilla.homeip.net> References: <023001c2daaf$cd19fe80$020010ac@romio> Reply-To: netfilter@lists.netfilter.org Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: <023001c2daaf$cd19fe80$020010ac@romio> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Roman Gavrilov Cc: netfilter@lists.netfilter.org On Sat, Feb 22, 2003 at 10:20:11PM +0200, Roman Gavrilov wrote: > Hello, > > My question is about ftp and ftp data connections. > I know this subject has been heavily discussed but still ... > > I set up my firewall to allow connections to 21 and 20 ports. > I also allowed connections to high ports from outside from port 20. > and of course I enabled all established and related connections. Have you loaded 'ip_nat_ftp' and 'ip_conntrack_ftp' ? Regards, Willi -- the three great virtues of a programmer: laziness, impatience and hubris. Lary Wall From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dhirendra Pal Singh Subject: How to do port forwarding dynamically Date: Fri, 21 Feb 2003 16:59:32 -0800 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3E56CB74.4090305@actiswitch.com> References: <023001c2daaf$cd19fe80$020010ac@romio> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org > Hi All, I am trying to set up a web server inside my home lan. Firewall is running on the gatewaty. Below is the script for the firewall... (its very simple.. I downloaded it from the net) ***************************************** #!/bin/sh # # rc.firewall-2.4 FWVER=0.70 echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod INSMOD=/sbin/insmod EXTIF="eth0" INTIF1="eth1" INTIF2="eth2" echo " External Interface: $EXTIF" echo " Internal Interface1: $INTIF1" echo " Internal Interface2: $INTIF2" echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" echo -en "ip_tables, " $INSMOD ip_tables echo -en "ip_conntrack, " $INSMOD ip_conntrack echo -en "ip_conntrack_ftp, " $INSMOD ip_conntrack_ftp echo -en "ip_conntrack_irc, " $INSMOD ip_conntrack_irc echo -en "iptable_nat, " $INSMOD iptable_nat echo -en "ip_nat_ftp, " $INSMOD ip_nat_ftp echo ". Done loading modules." echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-2.4 v$FWVER done.\n" ********************************************************************************************** I have stripped off the comments for simplicity. Now when I want to open a port and forward it I am trying to execute the following 2 commands... $iptables -A INPUT -j ACCEPT -p tcp --syn --destination-port 5000 $iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5000 -j DNAT --to-destination 192.168.1.30:80 Shouldnt this forward port 5000 to the internal box on port 80. But this is not working. Can someone please help me to correct this script. Actually I want just 2 lines which I can run for any port and can open and forward it to anymachine of my choice... Any quick help would be very much appreciated... Thanks and advance.. Dp From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joel Newkirk Subject: Re: How to do port forwarding dynamically Date: Fri, 21 Feb 2003 20:34:57 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200302212034.57159.netfilter@newkirk.us> References: <023001c2daaf$cd19fe80$020010ac@romio> <3E56CB74.4090305@actiswitch.com> Reply-To: netfilter@newkirk.us Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <3E56CB74.4090305@actiswitch.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Dhirendra Pal Singh , netfilter@lists.netfilter.org On Friday 21 February 2003 07:59 pm, Dhirendra Pal Singh wrote: > Hi All, > I am trying to set up a web server inside my home lan. Firewall is > running on the gatewaty. > Below is the script for the firewall... (its very simple.. I > downloaded it from the net) > echo " enabling forwarding.." > echo "1" > /proc/sys/net/ipv4/ip_forward Best not to do this until you've already created the rules, and the DROP=20 policy. > echo " enabling DynamicAddr.." > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > echo " clearing any existing rules and setting default policy.." > $IPTABLES -P INPUT ACCEPT This is NOT a good idea. This allows anybody on the internet to have=20 unrestricted access to all ports on your firewall/gateway. (unless you=20 DNAT them to another machine, or have a rule that explicitly DROPs=20 something) You want a DROP policy instead, and then ACCEPT only traffic=20 that needs to access the gateway machine itself. A simple, more-secure=20 (but still not tight) approach is to have a DROP policy on INPUT, then=20 use: $IPTABLES -A INPUT -i $INTIF1 -j ACCEPT $IPTABLES -A INPUT -i $INTIF2 -j ACCEPT which allows all machines on the local networks unrestricted access to=20 the gateway itself (this is a separate matter from forwarding!) but=20 ignores connection attempts from the outside world. Even better would=20 be to ACCEPT ONLY the absolute bare minimum. Under normal operation=20 nobody (internet _OR_ LAN) should need access to the firewall box=20 itself. If you do all your work on the machine sitting in front of it=20 with it's own keyboard and monitor, and it's not offering other services=20 then you can probably work just fine with DROP policy for INPUT (and=20 even OUTPUT). If there are services that the gateway offers to the LAN=20 (mailserver, DNS, filesharing, whatever) then you should have ACCEPT=20 rules for the necessary ports on INPUT chain, and limit them as above to=20 ONLY the LAN, never the internet. =20 >************************ I have stripped off the comments for > simplicity. Now when I want to open a port and forward it I am trying > to execute the following 2 commands... > > $iptables -A INPUT -j ACCEPT -p tcp --syn --destination-port 5000 > $iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5000 -j DNAT > --to-destination 192.168.1.30:80 > > Shouldnt this forward port 5000 to the internal box on port 80. But Nope. This DNATs port 5000 incoming to port 80 on the internal box, and=20 ACCEPTs syn to port 5000 on the gateway. You want the PREROUTING rule=20 as is, (but "-i $EXTIF" would fit the script style better...) but the=20 second rule should be: $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT Differences: This is FORWARD chain, which is where packets to be=20 forwarded will go instead of INPUT. The destination port is now 80, not=20 5000, since the DNAT rule already changed the DPORT when it changed the=20 destIP. > this is not working. Can someone please help me to correct this > script. Actually I want just 2 lines which I can run for any port and > can open and forward it to anymachine of my choice... > > Any quick help would be very much appreciated... > Thanks and advance.. > Dp INPUT is for connections directly to the firewall machine, or responses=20 to something initiated by the machine itself. OUTPUT is for connections=20 initiated by the firewall machine, or responses to something that came=20 in INPUT. FORWARD is for connections that are only passing through. j From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dhirendra Pal Singh Subject: Re: How to do port forwarding dynamically Date: Mon, 24 Feb 2003 12:13:15 -0800 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3E5A7CDB.9070507@actiswitch.com> References: <023001c2daaf$cd19fe80$020010ac@romio> <3E56CB74.4090305@actiswitch.com> <200302212034.57159.netfilter@newkirk.us> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@newkirk.us Cc: netfilter@lists.netfilter.org Thanks for your detailed help J. I will try all what you have said and will get back to you later... As I do have some more questions but let me try them myself before asking again... Thanks once again.. Dp Joel Newkirk wrote: >On Friday 21 February 2003 07:59 pm, Dhirendra Pal Singh wrote: > > >>Hi All, >>I am trying to set up a web server inside my home lan. Firewall is >>running on the gatewaty. >>Below is the script for the firewall... (its very simple.. I >>downloaded it from the net) >> >> > > > >>echo " enabling forwarding.." >>echo "1" > /proc/sys/net/ipv4/ip_forward >> >> > >Best not to do this until you've already created the rules, and the DROP >policy. > > > >>echo " enabling DynamicAddr.." >>echo "1" > /proc/sys/net/ipv4/ip_dynaddr >> >>echo " clearing any existing rules and setting default policy.." >>$IPTABLES -P INPUT ACCEPT >> >> > >This is NOT a good idea. This allows anybody on the internet to have >unrestricted access to all ports on your firewall/gateway. (unless you >DNAT them to another machine, or have a rule that explicitly DROPs >something) You want a DROP policy instead, and then ACCEPT only traffic >that needs to access the gateway machine itself. A simple, more-secure >(but still not tight) approach is to have a DROP policy on INPUT, then >use: > >$IPTABLES -A INPUT -i $INTIF1 -j ACCEPT >$IPTABLES -A INPUT -i $INTIF2 -j ACCEPT > >which allows all machines on the local networks unrestricted access to >the gateway itself (this is a separate matter from forwarding!) but >ignores connection attempts from the outside world. Even better would >be to ACCEPT ONLY the absolute bare minimum. Under normal operation >nobody (internet _OR_ LAN) should need access to the firewall box >itself. If you do all your work on the machine sitting in front of it >with it's own keyboard and monitor, and it's not offering other services >then you can probably work just fine with DROP policy for INPUT (and >even OUTPUT). If there are services that the gateway offers to the LAN >(mailserver, DNS, filesharing, whatever) then you should have ACCEPT >rules for the necessary ports on INPUT chain, and limit them as above to >ONLY the LAN, never the internet. > > > > >>************************ I have stripped off the comments for >>simplicity. Now when I want to open a port and forward it I am trying >>to execute the following 2 commands... >> >>$iptables -A INPUT -j ACCEPT -p tcp --syn --destination-port 5000 >>$iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5000 -j DNAT >>--to-destination 192.168.1.30:80 >> >>Shouldnt this forward port 5000 to the internal box on port 80. But >> >> > >Nope. This DNATs port 5000 incoming to port 80 on the internal box, and >ACCEPTs syn to port 5000 on the gateway. You want the PREROUTING rule >as is, (but "-i $EXTIF" would fit the script style better...) but the >second rule should be: > >$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT > >Differences: This is FORWARD chain, which is where packets to be >forwarded will go instead of INPUT. The destination port is now 80, not >5000, since the DNAT rule already changed the DPORT when it changed the >destIP. > > > >>this is not working. Can someone please help me to correct this >>script. Actually I want just 2 lines which I can run for any port and >>can open and forward it to anymachine of my choice... >> >>Any quick help would be very much appreciated... >>Thanks and advance.. >>Dp >> >> > >INPUT is for connections directly to the firewall machine, or responses >to something initiated by the machine itself. OUTPUT is for connections >initiated by the firewall machine, or responses to something that came >in INPUT. FORWARD is for connections that are only passing through. > >j > > > > >