Re: AW: IP_TABLES Q - Andrew B. Cramer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Andrew B. Cramer" <andrew.cramer@cramer-ts.com>
To: "Dr. Arend Wellmann" <arendwellmann@kade.de>
Cc: linux-admin <linux-admin@vger.kernel.org>
Subject: Re: AW: IP_TABLES Q
Date: Mon, 17 Feb 2003 11:33:48 -0600	[thread overview]
Message-ID: <3E50C89C.6415.C4CA454@localhost> (raw)
In-Reply-To: <000001c2d693$d57d2400$230110ac@berlin.kade.de>


Hi Arend,
	Thanks for responding. I was right in the change from 21 to 23, but 
that had no effect for FTP. In the past, I used Linux-2.2.x with 
IP_CHAINS. With that I had used the ip_masq_ftp module. That worked. 
I guess what I'm looking for is what use for FTP rules and where to 
put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP 
responds, "425 Can't build data connection: No route to host." line 
2, "! Retrieve of folder listing failed(0)". Again this used to work 
with ipfwadm and then ipchains. It looks like it is not being 
handled.

Thanks - Andrew

On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote:

> Hi!
> your script closed port 21 (ftp) where you meant to close telnet (23 is
> indeed the right port).
> However, I'd recommend you'll use a edicated proxy-server for http and
> ftp because your firewall-script allows any connetion from anywhere to
> your network.
> Hope it helps,
> Arend Wellmann 
> 
> -----Ursprüngliche Nachricht-----
> Von: linux-admin-owner@vger.kernel.org
> [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew B.
> Cramer
> Gesendet: Montag, 17. Februar 2003 14:08
> An: linux-admin
> Betreff: IP_TABLES Q
> 
> 
> 
> Hi All,
> 	Please look at this and explain where I make the mistake that
> none 
> of the workstations Masq'd are able to establish a FTP session. 
> Telnet, email, and web browsing work just fine. 
> 
> TIA - Andrew Cramer
> 
> <ip_tables commands>
> 
> #!/bin/sh
> #
> # rc.firewall-2.4
> FWVER=0.70
> #
> # Thanks to David Ranch's IPMasq HowTo
> #               Initial SIMPLE IP Masquerade test for 2.4.x kernels
> #               using IPTABLES.
> #
> 
> echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
> 
> IPTABLES=/usr/sbin/iptables
> DEPMOD=/sbin/depmod
> INSMOD=/sbin/insmod
> 
> EXTIP="xxx.yyy.zzz.1" # your external IP here.
> EXTIF="ppp0"
> INTIF="eth0"
> 
> echo "   External Interface:  $EXTIF"
> echo "   Internal Interface:  $INTIF"
> echo -en "   loading modules: "
> echo "  - Verifying that all kernel modules are ok"
> $DEPMOD -a
> 
> echo "----------------------------------------------------------------
> ------"
> echo -en "ip_tables, "
> 
> $INSMOD ip_tables
> 
> echo -en "ip_conntrack, "
> $INSMOD ip_conntrack
> 
> echo -en "iptable_nat, "
> $INSMOD iptable_nat
> 
> echo "----------------------------------------------------------------
> ------"
> 
> echo ".  Done loading modules."
> 
> echo "   enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> echo "   clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> 
> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> 
> # Reject telnet sessions from outside (Shouldn't it be 23 ?!?)
> $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21   -j REJECT
> 
> # Forward HTTPS requests  (change the port number to suit yourself)
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state 
> \
>    --state NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \
>    -j DNAT --to 192.168.1.1:443
> 
> $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \
>     -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1
> 
> echo "   FWD: Allow all connections OUT and only existing and related 
> ones IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
> 
> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> 
> <ip_tables Listing>
> root@home:/etc/rc.d# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> dpt:smtp
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> dpt:pop3
> REJECT     tcp  --  anywhere             anywhere           tcp 
> dpt:ftp reject-with icmp-port-unreachable
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> dpt:https state NEW,RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere           state 
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere
> LOG        all  --  anywhere             anywhere           LOG level 
> warning
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 



-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2003-02-17 17:33 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-02-17 13:07 IP_TABLES Q Andrew B. Cramer
     [not found] ` <000001c2d693$d57d2400$230110ac@berlin.kade.de>
2003-02-17 17:33   ` Andrew B. Cramer [this message]
     [not found]     ` <1045526303.18928.3.camel@linux>
2003-02-18  0:31       ` AW: " Andrew B. Cramer
2003-02-18  1:04         ` Glynn Clements
2003-02-18  1:30           ` AW: IP_TABLES Q - Solved Andrew B. Cramer
     [not found]         ` <1045530465.18928.9.camel@linux>
2003-02-18  1:18           ` AW: IP_TABLES Q Andrew B. Cramer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3E50C89C.6415.C4CA454@localhost \
    --to=andrew.cramer@cramer-ts.com \
    --cc=arendwellmann@kade.de \
    --cc=linux-admin@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.