From: jose nuno neto <jose.neto@liber4e.com>
To: markee@bandwidthco.com
Cc: netfilter@lists.netfilter.org
Subject: RE: FTP SERVER ACCESS
Date: Sun, 26 Oct 2003 13:07:36 +0000 [thread overview]
Message-ID: <1067173655.3024.2.camel@janis> (raw)
In-Reply-To: <LFEHKEBEBHAFGJBMNKAOGEIPCDAA.markee@bandwidthco.com>
Hi,
this is the output of lsmod
ipt_mark 1216 1 (autoclean)
ipt_MARK 1632 13 (autoclean)
ipt_TOS 1856 6 (autoclean)
iptable_mangle 3040 1
ipt_multiport 1440 7
ip_conntrack_ftp 5088 0 (unused)
ip_conntrack_irc 4256 0 (unused)
ipt_REJECT 4000 2
ipt_LOG 4384 10
ipt_limit 1728 2
ipt_state 1344 20
ip_conntrack 26100 3 [ip_conntrack_ftp ip_conntrack_irc
ipt_state]
ipt_unclean 7872 2
iptable_filter 2528 1
ip_tables 13760 11 [ipt_mark ipt_MARK ipt_TOS
iptable_mangle ipt_multiport ipt_REJECT ipt_LOG ipt_limit ipt_state
ipt_unclean iptable_filter]
it shoes unused for ip_conntrack_ftp is this good?
On Sat, 2003-10-25 at 21:59, Mark E. Donaldson wrote:
> FTP is one of the most difficult protocols to get through a firewall. To
> begin with, are you using the netfilter ftp connection tracking module?
> $MODPROBE ip_conntrack_ftp
>
> Start with this. If you need more help let me know.
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Jose Nuno Neto
> Sent: Friday, October 24, 2003 7:15 AM
> To: netfilter@lists.netfilter.org
> Subject: FTP SERVER ACCESS
>
>
> Hi,
>
> I have a friewall script from
> http://www.rfxnetworks.com/apf.php
>
> I've followed intructions and have access to everythin i wnat except for
> FTP Server
> Can anyone point what ports/action must i do?
>
> thanx
>
> -------------------------------------------
>
> iptables -L
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> IN_UNCLEAN all -- anywhere anywhere unclean
> ACCEPT all -- anywhere anywhere
> TELNET_LOG tcp -- anywhere anywhere tcp dpt:telnet
> state NEW
> SSH_LOG tcp -- anywhere anywhere tcp dpt:ssh
> state NEW
> DROP all -- 1.0.0.0/8 anywhere
> DROP all -- 2.0.0.0/8 anywhere
> DROP all -- 5.0.0.0/8 anywhere
> DROP all -- 7.0.0.0/8 anywhere
> DROP all -- 23.0.0.0/8 anywhere
> DROP all -- 27.0.0.0/8 anywhere
> DROP all -- 31.0.0.0/8 anywhere
> DROP all -- 36.0.0.0/8 anywhere
> DROP all -- 37.0.0.0/8 anywhere
> DROP all -- 39.0.0.0/8 anywhere
> DROP all -- 41.0.0.0/8 anywhere
> DROP all -- 42.0.0.0/8 anywhere
> DROP all -- 58.0.0.0/8 anywhere
> DROP all -- 59.0.0.0/8 anywhere
> DROP all -- 60.0.0.0/8 anywhere
> DROP all -- 70.0.0.0/8 anywhere
> DROP all -- 71.0.0.0/8 anywhere
> DROP all -- 72.0.0.0/8 anywhere
> DROP all -- 73.0.0.0/8 anywhere
> DROP all -- 74.0.0.0/8 anywhere
> DROP all -- 75.0.0.0/8 anywhere
> DROP all -- 76.0.0.0/8 anywhere
> DROP all -- 77.0.0.0/8 anywhere
> DROP all -- 78.0.0.0/8 anywhere
> DROP all -- 78.0.0.0/8 anywhere
> DROP all -- 79.0.0.0/8 anywhere
> DROP all -- 83.0.0.0/8 anywhere
> DROP all -- 84.0.0.0/8 anywhere
> DROP all -- 85.0.0.0/8 anywhere
> DROP all -- 86.0.0.0/8 anywhere
> DROP all -- 87.0.0.0/8 anywhere
> DROP all -- 88.0.0.0/8 anywhere
> DROP all -- 89.0.0.0/8 anywhere
> DROP all -- 90.0.0.0/8 anywhere
> DROP all -- 91.0.0.0/8 anywhere
> DROP all -- 92.0.0.0/8 anywhere
> DROP all -- 93.0.0.0/8 anywhere
> DROP all -- 94.0.0.0/8 anywhere
> DROP all -- 95.0.0.0/8 anywhere
> DROP all -- 96.0.0.0/8 anywhere
> DROP all -- 97.0.0.0/8 anywhere
> DROP all -- 98.0.0.0/8 anywhere
> DROP all -- 99.0.0.0/8 anywhere
> DROP all -- 100.0.0.0/8 anywhere
> DROP all -- 101.0.0.0/8 anywhere
> DROP all -- 102.0.0.0/8 anywhere
> DROP all -- 103.0.0.0/8 anywhere
> DROP all -- 104.0.0.0/8 anywhere
> DROP all -- 105.0.0.0/8 anywhere
> DROP all -- 106.0.0.0/8 anywhere
> DROP all -- 107.0.0.0/8 anywhere
> DROP all -- 108.0.0.0/8 anywhere
> DROP all -- 109.0.0.0/8 anywhere
> DROP all -- 110.0.0.0/8 anywhere
> DROP all -- 111.0.0.0/8 anywhere
> DROP all -- 112.0.0.0/8 anywhere
> DROP all -- 113.0.0.0/8 anywhere
> DROP all -- 114.0.0.0/8 anywhere
> DROP all -- 115.0.0.0/8 anywhere
> DROP all -- 116.0.0.0/8 anywhere
> DROP all -- 117.0.0.0/8 anywhere
> DROP all -- 118.0.0.0/8 anywhere
> DROP all -- 119.0.0.0/8 anywhere
> DROP all -- 120.0.0.0/8 anywhere
> DROP all -- 121.0.0.0/8 anywhere
> DROP all -- 122.0.0.0/8 anywhere
> DROP all -- 123.0.0.0/8 anywhere
> DROP all -- 124.0.0.0/8 anywhere
> DROP all -- 124.0.0.0/8 anywhere
> DROP all -- 125.0.0.0/8 anywhere
> DROP all -- 126.0.0.0/8 anywhere
> DROP all -- 128.66.0.0/16 anywhere
> DROP all -- 172.16.0.0/12 anywhere
> DROP all -- 197.0.0.0/8 anywhere
> DROP all -- 221.0.0.0/8 anywhere
> DROP all -- 222.0.0.0/8 anywhere
> DROP all -- 223.0.0.0/8 anywhere
> DROP all -- 240.0.0.0/4 anywhere
> DROP tcp -- anywhere anywhere multiport dports
> smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274
> 44,31335
> DROP udp -- anywhere anywhere multiport dports
> smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274
> 44,31335
> DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
> DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
> LD all -- 255.255.255.255 anywhere
> LD all -- anywhere 0.0.0.0
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN/FIN,SYN
> DROP tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,RST/FIN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,ACK/FIN
> DROP tcp -- anywhere anywhere tcp
> flags:PSH,ACK/PSH
> DROP tcp -- anywhere anywhere tcp
> flags:ACK,URG/URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN
> DROP all -- anywhere anywhere state INVALID
> DROP tcp -- anywhere anywhere tcp option=64
> DROP tcp -- anywhere anywhere tcp option=128
> FUDP udp -f anywhere anywhere
> PZ udp -- anywhere anywhere udp dpt:0
> PZ tcp -- anywhere anywhere tcp dpt:0
> REJECT tcp -- anywhere anywhere tcp dpt:auth
> reject-with icmp-port-unreachable
> REJECT udp -- anywhere anywhere udp dpt:auth
> reject-with icmp-port-unreachable
> DROP udp -- anywhere anywhere multiport dports
> netbios-ns,netbios-dgm
> DROP udp -- anywhere 255.255.255.255
> ACCEPT udp -- anywhere anywhere udp spt:domain
> dpts:1023:65535
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp spt:ssh
> dpts:login:65535 state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp dpt:ssh
> state ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp
> spts:1023:65535 dpt:ftp state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:ftp-data
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:domain
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:ftp-data
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:domain
> ACCEPT icmp -- anywhere anywhere icmp
> destination-unreachable
> ACCEPT icmp -- anywhere anywhere icmp redirect
> ACCEPT icmp -- anywhere anywhere icmp
> time-exceeded
> ACCEPT icmp -- anywhere anywhere icmp echo-reply
> ACCEPT icmp -- anywhere anywhere icmp type 30
> ACCEPT icmp -- anywhere anywhere icmp
> echo-request
> DROP icmp -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp
> dpts:traceroute:33523
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:ftp-data
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:domain
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:ftp-data
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:domain
> DROP tcp -- anywhere anywhere tcp
> flags:!SYN,RST,ACK/SYN state NEW
> UDP_POL udp -- anywhere anywhere
> TCP_POL tcp -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> OUT_UNCLEAN all -- anywhere anywhere unclean
> ACCEPT all -- anywhere anywhere
> DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
> DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
> LD all -- 255.255.255.255 anywhere
> LD all -- anywhere 0.0.0.0
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN/FIN,SYN
> DROP tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,RST/FIN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,ACK/FIN
> DROP tcp -- anywhere anywhere tcp
> flags:PSH,ACK/PSH
> DROP tcp -- anywhere anywhere tcp
> flags:ACK,URG/URG
> FUDP udp -f anywhere anywhere
> PZ udp -- anywhere anywhere udp dpt:0
> PZ tcp -- anywhere anywhere tcp dpt:0
> ACCEPT udp -- anywhere anywhere udp
> spts:1023:65535 dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp spt:ftp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpt:ftp-data
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpts:1000:40000
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:ftp-data
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:domain
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpt:ftp-data
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpts:1000:40000
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:ftp-data
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:domain
> DROP tcp -- anywhere anywhere tcp
> flags:!SYN,RST,ACK/SYN state NEW
> DROP tcp -- anywhere anywhere tcp
> flags:!SYN,RST,ACK/SYN state NEW
> ACCEPT icmp -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain FUDP (2 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** UDP Frag **'
> DROP all -- anywhere anywhere
>
> Chain IN_UNCLEAN (1 references)
> target prot opt source destination
> UNCLEAN all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `** UNCLEAN ** '
>
> Chain LA (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning
> ACCEPT all -- anywhere anywhere
>
> Chain LD (4 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning
> DROP all -- anywhere anywhere
>
> Chain OUT_UNCLEAN (1 references)
> target prot opt source destination
> UNCLEAN all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `** UNCLEAN ** '
>
> Chain PZ (4 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** Port Zero **'
> DROP all -- anywhere anywhere
>
> Chain SANITY (0 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain SSH_LOG (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** SSH ** '
>
> Chain STATE (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state NEW
> DROP all -- anywhere anywhere
>
> Chain TCP_POL (1 references)
> target prot opt source destination
> LOG tcp -- anywhere anywhere limit: avg 1/sec
> burst 5 LOG level warning prefix `** TCP DROP ** '
> DROP all -- anywhere anywhere
>
> Chain TELNET_LOG (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** TELNET ** '
>
> Chain UDP_POL (1 references)
> target prot opt source destination
> LOG udp -- anywhere anywhere limit: avg 1/sec
> burst 5 LOG level warning prefix `** UDP DROP ** '
> DROP all -- anywhere anywhere
>
> Chain UNCLEAN (2 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
>
>
prev parent reply other threads:[~2003-10-26 13:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-24 14:14 FTP SERVER ACCESS José Nuno Neto
2003-10-25 20:59 ` Mark E. Donaldson
2003-10-26 13:07 ` jose nuno neto [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1067173655.3024.2.camel@janis \
--to=jose.neto@liber4e.com \
--cc=markee@bandwidthco.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.