From: "Andrew B. Cramer" <andrew.cramer@cramer-ts.com>
To: "Bart E. Hawley Sr." <bart@lonewolfe.net>
Cc: linux-admin <linux-admin@vger.kernel.org>
Subject: Re: AW: IP_TABLES Q
Date: Mon, 17 Feb 2003 19:18:33 -0600 [thread overview]
Message-ID: <3E513589.7494.DF63405@localhost> (raw)
In-Reply-To: <1045530465.18928.9.camel@linux>
Hi Bart,
Still no good. I'll keep trying, and accept any ideas.
- Andrew
<snip>
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
# Try this for FTP (ABC) - Did not work
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 20 -j ACCEPT
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 21 -j ACCEPT
</snip>
On 17 Feb 2003 at 19:07, Bart E. Hawley Sr. wrote:
> On Mon, 2003-02-17 at 18:31, Andrew B. Cramer wrote:
> >
> > Hi Bart,
> > In the interim, I did add for ports 20 & 21. same thing. Even Windoz
> > FTP gives the same message. Here is a segment from my new script.
> >
> > Thanks - Andrew
> >
> > <snip>
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> >
> Hi Andrew,
>
> Sorry I didn't read down to the protocols so I missed that earlier. You
> need to set it for both protocols - TCP and UDP
> The following is from IANA port assignments.
>
> ftp-data 20/tcp File Transfer [Default Data]
> ftp-data 20/udp File Transfer [Default Data]
> ftp 21/tcp File Transfer [Control]
> ftp 21/udp File Transfer [Control]
>
> Bart
>
> > # Try this for FTP (ABC) - Did not work
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT
> >
> > # Reject telnet sessions from outside (Changed from 21 to 23)(ABC)
> > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23 -j REJECT
> > </snip>
> >
> > On 17 Feb 2003 at 17:58, Bart E. Hawley Sr. wrote:
> >
> > > On Mon, 2003-02-17 at 11:33, Andrew B. Cramer wrote:
> > > >
> > > > Hi Arend,
> > > > Thanks for responding. I was right in the change from 21 to 23, but
> > > > that had no effect for FTP. In the past, I used Linux-2.2.x with
> > > > IP_CHAINS. With that I had used the ip_masq_ftp module. That worked.
> > > > I guess what I'm looking for is what use for FTP rules and where to
> > > > put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP
> > > > responds, "425 Can't build data connection: No route to host." line
> > > > 2, "! Retrieve of folder listing failed(0)". Again this used to work
> > > > with ipfwadm and then ipchains. It looks like it is not being
> > > > handled.
> > > >
> > >
> > >
> > > >From what I see in your error message you need to also open the FTP data
> > > port - port 20 - to get the information through or try setting the
> > > client to passive mode.
> > >
> > > Bart
> > > > Thanks - Andrew
> > > >
> > > > On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote:
> > > >
> > > > > Hi!
> > > > > your script closed port 21 (ftp) where you meant to close telnet (23 is
> > > > > indeed the right port).
> > > > > However, I'd recommend you'll use a edicated proxy-server for http and
> > > > > ftp because your firewall-script allows any connetion from anywhere to
> > > > > your network.
> > > > > Hope it helps,
> > > > > Arend Wellmann
> > > > >
> > > > > -----Ursprüngliche Nachricht-----
> > > > > Von: linux-admin-owner@vger.kernel.org
> > > > > [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew B.
> > > > > Cramer
> > > > > Gesendet: Montag, 17. Februar 2003 14:08
> > > > > An: linux-admin
> > > > > Betreff: IP_TABLES Q
> > > > >
> > > > >
> > > > >
> > > > > Hi All,
> > > > > Please look at this and explain where I make the mistake that
> > > > > none
> > > > > of the workstations Masq'd are able to establish a FTP session.
> > > > > Telnet, email, and web browsing work just fine.
> > > > >
> > > > > TIA - Andrew Cramer
> > > > >
> > > > > <ip_tables commands>
> > > > >
> > > > > #!/bin/sh
> > > > > #
> > > > > # rc.firewall-2.4
> > > > > FWVER=0.70
> > > > > #
> > > > > # Thanks to David Ranch's IPMasq HowTo
> > > > > # Initial SIMPLE IP Masquerade test for 2.4.x kernels
> > > > > # using IPTABLES.
> > > > > #
> > > > >
> > > > > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
> > > > >
> > > > > IPTABLES=/usr/sbin/iptables
> > > > > DEPMOD=/sbin/depmod
> > > > > INSMOD=/sbin/insmod
> > > > >
> > > > > EXTIP="xxx.yyy.zzz.1" # your external IP here.
> > > > > EXTIF="ppp0"
> > > > > INTIF="eth0"
> > > > >
> > > > > echo " External Interface: $EXTIF"
> > > > > echo " Internal Interface: $INTIF"
> > > > > echo -en " loading modules: "
> > > > > echo " - Verifying that all kernel modules are ok"
> > > > > $DEPMOD -a
> > > > >
> > > > > echo "----------------------------------------------------------------
> > > > > ------"
> > > > > echo -en "ip_tables, "
> > > > >
> > > > > $INSMOD ip_tables
> > > > >
> > > > > echo -en "ip_conntrack, "
> > > > > $INSMOD ip_conntrack
> > > > >
> > > > > echo -en "iptable_nat, "
> > > > > $INSMOD iptable_nat
> > > > >
> > > > > echo "----------------------------------------------------------------
> > > > > ------"
> > > > >
> > > > > echo ". Done loading modules."
> > > > >
> > > > > echo " enabling forwarding.."
> > > > > echo "1" > /proc/sys/net/ipv4/ip_forward
> > > > >
> > > > > echo " clearing any existing rules and setting default policy.."
> > > > > $IPTABLES -P INPUT ACCEPT
> > > > > $IPTABLES -F INPUT
> > > > > $IPTABLES -P OUTPUT ACCEPT
> > > > > $IPTABLES -F OUTPUT
> > > > > $IPTABLES -P FORWARD ACCEPT
> > > > > $IPTABLES -F FORWARD
> > > > > $IPTABLES -t nat -F
> > > > >
> > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT
> > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> > > > >
> > > > > # Reject telnet sessions from outside (Shouldn't it be 23 ?!?)
> > > > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -j REJECT
> > > > >
> > > > > # Forward HTTPS requests (change the port number to suit yourself)
> > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state
> > > > > \
> > > > > --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > > > >
> > > > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \
> > > > > -j DNAT --to 192.168.1.1:443
> > > > >
> > > > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \
> > > > > -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1
> > > > >
> > > > > echo " FWD: Allow all connections OUT and only existing and related
> > > > > ones IN"
> > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> > > > > ESTABLISHED,RELATED -j ACCEPT
> > > > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > > > > $IPTABLES -A FORWARD -j LOG
> > > > >
> > > > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > > > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> > > > >
> > > > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> > > > >
> > > > > <ip_tables Listing>
> > > > > root@home:/etc/rc.d# iptables -L
> > > > > Chain INPUT (policy ACCEPT)
> > > > > target prot opt source destination
> > > > > ACCEPT tcp -- anywhere anywhere tcp
> > > > > dpt:smtp
> > > > > ACCEPT tcp -- anywhere anywhere tcp
> > > > > dpt:pop3
> > > > > REJECT tcp -- anywhere anywhere tcp
> > > > > dpt:ftp reject-with icmp-port-unreachable
> > > > >
> > > > > Chain FORWARD (policy ACCEPT)
> > > > > target prot opt source destination
> > > > > ACCEPT tcp -- anywhere anywhere tcp
> > > > > dpt:https state NEW,RELATED,ESTABLISHED
> > > > > ACCEPT all -- anywhere anywhere state
> > > > > RELATED,ESTABLISHED
> > > > > ACCEPT all -- anywhere anywhere
> > > > > LOG all -- anywhere anywhere LOG level
> > > > > warning
> > > > >
> > > > > Chain OUTPUT (policy ACCEPT)
> > > > > target prot opt source destination
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > -
> > > > > To unsubscribe from this list: send the line "unsubscribe linux-admin"
> > > > > in
> > > > > the body of a message to majordomo@vger.kernel.org
> > > > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > > > >
> > > >
> > > >
> > > >
> > > > -
> > > > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > > > the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > > >
> > >
> > >
> >
> >
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
>
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
prev parent reply other threads:[~2003-02-18 1:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-17 13:07 IP_TABLES Q Andrew B. Cramer
[not found] ` <000001c2d693$d57d2400$230110ac@berlin.kade.de>
2003-02-17 17:33 ` AW: " Andrew B. Cramer
[not found] ` <1045526303.18928.3.camel@linux>
2003-02-18 0:31 ` Andrew B. Cramer
2003-02-18 1:04 ` Glynn Clements
2003-02-18 1:30 ` AW: IP_TABLES Q - Solved Andrew B. Cramer
[not found] ` <1045530465.18928.9.camel@linux>
2003-02-18 1:18 ` Andrew B. Cramer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E513589.7494.DF63405@localhost \
--to=andrew.cramer@cramer-ts.com \
--cc=bart@lonewolfe.net \
--cc=linux-admin@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.