* Re: [LARTC] ip_conntrack_ftp
2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
@ 2004-05-10 20:37 ` Andy Furniss
2004-05-11 7:09 ` raptor
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Andy Furniss @ 2004-05-10 20:37 UTC (permalink / raw)
To: lartc
raptor wrote:
> As read here :
> http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
>
> modprobe ip_conntrack_ftp
> would give me the ability to use active ftp if I have (pseudo/simplified code)
>
> iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -j DROP
>
> but I cant use active ftp, WHAT IS WRONG.. eth0 is the internal interface..
>
If you are NATing use ip_nat_ftp aswell.
Not sure that that firewall rule is OK - but then I don't know what else
you have.
My firewall is a direct copy and paste from one of rustys guides - ppp0
is my external interface -
## Create chain which blocks new connections, except if coming from inside.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
Andy.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] ip_conntrack_ftp
2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
2004-05-10 20:37 ` Andy Furniss
@ 2004-05-11 7:09 ` raptor
2004-05-12 7:53 ` Andy Furniss
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: raptor @ 2004-05-11 7:09 UTC (permalink / raw)
To: lartc
yep my config is very similar i.e. :
iptables -N block
iptables -A block -i $ifInt0 -j ACCEPT
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -j DROP
iptables -A INPUT -i $ifWan0 -j services
iptables -A FORWARD -i $ifWan0 -j services
iptables -A INPUT -j block
iptables -A FORWARD -j block
I added also this (do I really need it in my config I'm allowing everything from inside anyway):
> iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPT
after ESTABLISHED,RELATED but still can do active FTP
"services" is for giving access to wellknown services...
I'm not using NAT
On Mon, 10 May 2004 21:37:27 +0100
Andy Furniss <andy.furniss@dsl.pipex.com> wrote:
> raptor wrote:
> > As read here :
> > http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
> >
> > modprobe ip_conntrack_ftp
> > would give me the ability to use active ftp if I have (pseudo/simplified code)
> >
> > iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -j DROP
> >
> > but I cant use active ftp, WHAT IS WRONG.. eth0 is the internal interface..
> >
>
> If you are NATing use ip_nat_ftp aswell.
>
> Not sure that that firewall rule is OK - but then I don't know what else
> you have.
>
> My firewall is a direct copy and paste from one of rustys guides - ppp0
> is my external interface -
>
> ## Create chain which blocks new connections, except if coming from inside.
>
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
> iptables -A block -j DROP
>
> ## Jump to that chain from INPUT and FORWARD chains.
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
>
> Andy.
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] ip_conntrack_ftp
2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
2004-05-10 20:37 ` Andy Furniss
2004-05-11 7:09 ` raptor
@ 2004-05-12 7:53 ` Andy Furniss
2004-05-12 12:29 ` raptor
2004-05-13 10:16 ` Andy Furniss
4 siblings, 0 replies; 6+ messages in thread
From: Andy Furniss @ 2004-05-12 7:53 UTC (permalink / raw)
To: lartc
raptor wrote:
> yep my config is very similar i.e. :
>
> iptables -N block
> iptables -A block -i $ifInt0 -j ACCEPT
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -j DROP
>
>
> iptables -A INPUT -i $ifWan0 -j services
> iptables -A FORWARD -i $ifWan0 -j services
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
>
> I added also this (do I really need it in my config I'm allowing everything from inside anyway):
>
>>iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPT
>
>
> after ESTABLISHED,RELATED but still can do active FTP
>
> "services" is for giving access to wellknown services...
> I'm not using NAT
I am not sure what's wrong.
Are you running an FTP server or just trying to access one on the
internet from behind the firewall ?
Andy.
<snip>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] ip_conntrack_ftp
2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
` (2 preceding siblings ...)
2004-05-12 7:53 ` Andy Furniss
@ 2004-05-12 12:29 ` raptor
2004-05-13 10:16 ` Andy Furniss
4 siblings, 0 replies; 6+ messages in thread
From: raptor @ 2004-05-12 12:29 UTC (permalink / raw)
To: lartc
tryng to access ftp servers from inside...
> raptor wrote:
> > yep my config is very similar i.e. :
> >
> > iptables -N block
> > iptables -A block -i $ifInt0 -j ACCEPT
> > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A block -j DROP
> >
> >
> > iptables -A INPUT -i $ifWan0 -j services
> > iptables -A FORWARD -i $ifWan0 -j services
> > iptables -A INPUT -j block
> > iptables -A FORWARD -j block
> >
> > I added also this (do I really need it in my config I'm allowing everything from inside anyway):
> >
> >>iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPT
> >
> >
> > after ESTABLISHED,RELATED but still can do active FTP
> >
> > "services" is for giving access to wellknown services...
> > I'm not using NAT
>
> I am not sure what's wrong.
>
> Are you running an FTP server or just trying to access one on the
> internet from behind the firewall ?
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] ip_conntrack_ftp
2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
` (3 preceding siblings ...)
2004-05-12 12:29 ` raptor
@ 2004-05-13 10:16 ` Andy Furniss
4 siblings, 0 replies; 6+ messages in thread
From: Andy Furniss @ 2004-05-13 10:16 UTC (permalink / raw)
To: lartc
raptor wrote:
> tryng to access ftp servers from inside...
Well I am not sure - I would be double checking all scripts for
typos/brainos. You haven't posted evrything you use - and even if you
did I am no netfilter/firewalling expert. The netfilter list is probably
a better place for this sort of issue.
Andy.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread