* FTP SERVER ACCESS
@ 2003-10-24 14:14 José Nuno Neto
2003-10-25 20:59 ` Mark E. Donaldson
0 siblings, 1 reply; 3+ messages in thread
From: José Nuno Neto @ 2003-10-24 14:14 UTC (permalink / raw)
To: netfilter
Hi,
I have a friewall script from
http://www.rfxnetworks.com/apf.php
I've followed intructions and have access to everythin i wnat except for
FTP Server
Can anyone point what ports/action must i do?
thanx
-------------------------------------------
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
IN_UNCLEAN all -- anywhere anywhere unclean
ACCEPT all -- anywhere anywhere
TELNET_LOG tcp -- anywhere anywhere tcp dpt:telnet state NEW
SSH_LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW
DROP all -- 1.0.0.0/8 anywhere
DROP all -- 2.0.0.0/8 anywhere
DROP all -- 5.0.0.0/8 anywhere
DROP all -- 7.0.0.0/8 anywhere
DROP all -- 23.0.0.0/8 anywhere
DROP all -- 27.0.0.0/8 anywhere
DROP all -- 31.0.0.0/8 anywhere
DROP all -- 36.0.0.0/8 anywhere
DROP all -- 37.0.0.0/8 anywhere
DROP all -- 39.0.0.0/8 anywhere
DROP all -- 41.0.0.0/8 anywhere
DROP all -- 42.0.0.0/8 anywhere
DROP all -- 58.0.0.0/8 anywhere
DROP all -- 59.0.0.0/8 anywhere
DROP all -- 60.0.0.0/8 anywhere
DROP all -- 70.0.0.0/8 anywhere
DROP all -- 71.0.0.0/8 anywhere
DROP all -- 72.0.0.0/8 anywhere
DROP all -- 73.0.0.0/8 anywhere
DROP all -- 74.0.0.0/8 anywhere
DROP all -- 75.0.0.0/8 anywhere
DROP all -- 76.0.0.0/8 anywhere
DROP all -- 77.0.0.0/8 anywhere
DROP all -- 78.0.0.0/8 anywhere
DROP all -- 78.0.0.0/8 anywhere
DROP all -- 79.0.0.0/8 anywhere
DROP all -- 83.0.0.0/8 anywhere
DROP all -- 84.0.0.0/8 anywhere
DROP all -- 85.0.0.0/8 anywhere
DROP all -- 86.0.0.0/8 anywhere
DROP all -- 87.0.0.0/8 anywhere
DROP all -- 88.0.0.0/8 anywhere
DROP all -- 89.0.0.0/8 anywhere
DROP all -- 90.0.0.0/8 anywhere
DROP all -- 91.0.0.0/8 anywhere
DROP all -- 92.0.0.0/8 anywhere
DROP all -- 93.0.0.0/8 anywhere
DROP all -- 94.0.0.0/8 anywhere
DROP all -- 95.0.0.0/8 anywhere
DROP all -- 96.0.0.0/8 anywhere
DROP all -- 97.0.0.0/8 anywhere
DROP all -- 98.0.0.0/8 anywhere
DROP all -- 99.0.0.0/8 anywhere
DROP all -- 100.0.0.0/8 anywhere
DROP all -- 101.0.0.0/8 anywhere
DROP all -- 102.0.0.0/8 anywhere
DROP all -- 103.0.0.0/8 anywhere
DROP all -- 104.0.0.0/8 anywhere
DROP all -- 105.0.0.0/8 anywhere
DROP all -- 106.0.0.0/8 anywhere
DROP all -- 107.0.0.0/8 anywhere
DROP all -- 108.0.0.0/8 anywhere
DROP all -- 109.0.0.0/8 anywhere
DROP all -- 110.0.0.0/8 anywhere
DROP all -- 111.0.0.0/8 anywhere
DROP all -- 112.0.0.0/8 anywhere
DROP all -- 113.0.0.0/8 anywhere
DROP all -- 114.0.0.0/8 anywhere
DROP all -- 115.0.0.0/8 anywhere
DROP all -- 116.0.0.0/8 anywhere
DROP all -- 117.0.0.0/8 anywhere
DROP all -- 118.0.0.0/8 anywhere
DROP all -- 119.0.0.0/8 anywhere
DROP all -- 120.0.0.0/8 anywhere
DROP all -- 121.0.0.0/8 anywhere
DROP all -- 122.0.0.0/8 anywhere
DROP all -- 123.0.0.0/8 anywhere
DROP all -- 124.0.0.0/8 anywhere
DROP all -- 124.0.0.0/8 anywhere
DROP all -- 125.0.0.0/8 anywhere
DROP all -- 126.0.0.0/8 anywhere
DROP all -- 128.66.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 197.0.0.0/8 anywhere
DROP all -- 221.0.0.0/8 anywhere
DROP all -- 222.0.0.0/8 anywhere
DROP all -- 223.0.0.0/8 anywhere
DROP all -- 240.0.0.0/4 anywhere
DROP tcp -- anywhere anywhere multiport dports smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,27444,31335
DROP udp -- anywhere anywhere multiport dports smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,27444,31335
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
DROP all -- anywhere anywhere state INVALID
DROP tcp -- anywhere anywhere tcp option=64
DROP tcp -- anywhere anywhere tcp option=128
FUDP udp -f anywhere anywhere
PZ udp -- anywhere anywhere udp dpt:0
PZ tcp -- anywhere anywhere tcp dpt:0
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:auth reject-with icmp-port-unreachable
DROP udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm
DROP udp -- anywhere 255.255.255.255
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1023:65535
ACCEPT tcp -- anywhere anywhere tcp dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:login:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1023:65535 dpt:ftp state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp-data
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:domain
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp dpt:ftp-data
ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp redirect
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp type 30
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpts:traceroute:33523
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp-data
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:domain
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp dpt:ftp-data
ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp dpt:domain
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
UDP_POL udp -- anywhere anywhere
TCP_POL tcp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUT_UNCLEAN all -- anywhere anywhere unclean
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH
DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
FUDP udp -f anywhere anywhere
PZ udp -- anywhere anywhere udp dpt:0
PZ tcp -- anywhere anywhere tcp dpt:0
ACCEPT udp -- anywhere anywhere udp spts:1023:65535 dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp-data
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpts:1000:40000
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp-data
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:domain
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp-data
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpts:1000:40000
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp-data
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:domain
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FUDP (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `** UDP Frag **'
DROP all -- anywhere anywhere
Chain IN_UNCLEAN (1 references)
target prot opt source destination
UNCLEAN all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `** UNCLEAN ** '
Chain LA (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
ACCEPT all -- anywhere anywhere
Chain LD (4 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Chain OUT_UNCLEAN (1 references)
target prot opt source destination
UNCLEAN all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `** UNCLEAN ** '
Chain PZ (4 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `** Port Zero **'
DROP all -- anywhere anywhere
Chain SANITY (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain SSH_LOG (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `** SSH ** '
Chain STATE (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- anywhere anywhere
Chain TCP_POL (1 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `** TCP DROP ** '
DROP all -- anywhere anywhere
Chain TELNET_LOG (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix `** TELNET ** '
Chain UDP_POL (1 references)
target prot opt source destination
LOG udp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `** UDP DROP ** '
DROP all -- anywhere anywhere
Chain UNCLEAN (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: FTP SERVER ACCESS
2003-10-24 14:14 FTP SERVER ACCESS José Nuno Neto
@ 2003-10-25 20:59 ` Mark E. Donaldson
2003-10-26 13:07 ` jose nuno neto
0 siblings, 1 reply; 3+ messages in thread
From: Mark E. Donaldson @ 2003-10-25 20:59 UTC (permalink / raw)
To: Jose Nuno Neto, netfilter
FTP is one of the most difficult protocols to get through a firewall. To
begin with, are you using the netfilter ftp connection tracking module?
$MODPROBE ip_conntrack_ftp
Start with this. If you need more help let me know.
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Jose Nuno Neto
Sent: Friday, October 24, 2003 7:15 AM
To: netfilter@lists.netfilter.org
Subject: FTP SERVER ACCESS
Hi,
I have a friewall script from
http://www.rfxnetworks.com/apf.php
I've followed intructions and have access to everythin i wnat except for
FTP Server
Can anyone point what ports/action must i do?
thanx
-------------------------------------------
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
IN_UNCLEAN all -- anywhere anywhere unclean
ACCEPT all -- anywhere anywhere
TELNET_LOG tcp -- anywhere anywhere tcp dpt:telnet
state NEW
SSH_LOG tcp -- anywhere anywhere tcp dpt:ssh
state NEW
DROP all -- 1.0.0.0/8 anywhere
DROP all -- 2.0.0.0/8 anywhere
DROP all -- 5.0.0.0/8 anywhere
DROP all -- 7.0.0.0/8 anywhere
DROP all -- 23.0.0.0/8 anywhere
DROP all -- 27.0.0.0/8 anywhere
DROP all -- 31.0.0.0/8 anywhere
DROP all -- 36.0.0.0/8 anywhere
DROP all -- 37.0.0.0/8 anywhere
DROP all -- 39.0.0.0/8 anywhere
DROP all -- 41.0.0.0/8 anywhere
DROP all -- 42.0.0.0/8 anywhere
DROP all -- 58.0.0.0/8 anywhere
DROP all -- 59.0.0.0/8 anywhere
DROP all -- 60.0.0.0/8 anywhere
DROP all -- 70.0.0.0/8 anywhere
DROP all -- 71.0.0.0/8 anywhere
DROP all -- 72.0.0.0/8 anywhere
DROP all -- 73.0.0.0/8 anywhere
DROP all -- 74.0.0.0/8 anywhere
DROP all -- 75.0.0.0/8 anywhere
DROP all -- 76.0.0.0/8 anywhere
DROP all -- 77.0.0.0/8 anywhere
DROP all -- 78.0.0.0/8 anywhere
DROP all -- 78.0.0.0/8 anywhere
DROP all -- 79.0.0.0/8 anywhere
DROP all -- 83.0.0.0/8 anywhere
DROP all -- 84.0.0.0/8 anywhere
DROP all -- 85.0.0.0/8 anywhere
DROP all -- 86.0.0.0/8 anywhere
DROP all -- 87.0.0.0/8 anywhere
DROP all -- 88.0.0.0/8 anywhere
DROP all -- 89.0.0.0/8 anywhere
DROP all -- 90.0.0.0/8 anywhere
DROP all -- 91.0.0.0/8 anywhere
DROP all -- 92.0.0.0/8 anywhere
DROP all -- 93.0.0.0/8 anywhere
DROP all -- 94.0.0.0/8 anywhere
DROP all -- 95.0.0.0/8 anywhere
DROP all -- 96.0.0.0/8 anywhere
DROP all -- 97.0.0.0/8 anywhere
DROP all -- 98.0.0.0/8 anywhere
DROP all -- 99.0.0.0/8 anywhere
DROP all -- 100.0.0.0/8 anywhere
DROP all -- 101.0.0.0/8 anywhere
DROP all -- 102.0.0.0/8 anywhere
DROP all -- 103.0.0.0/8 anywhere
DROP all -- 104.0.0.0/8 anywhere
DROP all -- 105.0.0.0/8 anywhere
DROP all -- 106.0.0.0/8 anywhere
DROP all -- 107.0.0.0/8 anywhere
DROP all -- 108.0.0.0/8 anywhere
DROP all -- 109.0.0.0/8 anywhere
DROP all -- 110.0.0.0/8 anywhere
DROP all -- 111.0.0.0/8 anywhere
DROP all -- 112.0.0.0/8 anywhere
DROP all -- 113.0.0.0/8 anywhere
DROP all -- 114.0.0.0/8 anywhere
DROP all -- 115.0.0.0/8 anywhere
DROP all -- 116.0.0.0/8 anywhere
DROP all -- 117.0.0.0/8 anywhere
DROP all -- 118.0.0.0/8 anywhere
DROP all -- 119.0.0.0/8 anywhere
DROP all -- 120.0.0.0/8 anywhere
DROP all -- 121.0.0.0/8 anywhere
DROP all -- 122.0.0.0/8 anywhere
DROP all -- 123.0.0.0/8 anywhere
DROP all -- 124.0.0.0/8 anywhere
DROP all -- 124.0.0.0/8 anywhere
DROP all -- 125.0.0.0/8 anywhere
DROP all -- 126.0.0.0/8 anywhere
DROP all -- 128.66.0.0/16 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 197.0.0.0/8 anywhere
DROP all -- 221.0.0.0/8 anywhere
DROP all -- 222.0.0.0/8 anywhere
DROP all -- 223.0.0.0/8 anywhere
DROP all -- 240.0.0.0/4 anywhere
DROP tcp -- anywhere anywhere multiport dports
smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274
44,31335
DROP udp -- anywhere anywhere multiport dports
smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274
44,31335
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp
flags:FIN,RST/FIN,RST
DROP tcp -- anywhere anywhere tcp
flags:FIN,ACK/FIN
DROP tcp -- anywhere anywhere tcp
flags:PSH,ACK/PSH
DROP tcp -- anywhere anywhere tcp
flags:ACK,URG/URG
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/FIN
DROP all -- anywhere anywhere state INVALID
DROP tcp -- anywhere anywhere tcp option=64
DROP tcp -- anywhere anywhere tcp option=128
FUDP udp -f anywhere anywhere
PZ udp -- anywhere anywhere udp dpt:0
PZ tcp -- anywhere anywhere tcp dpt:0
REJECT tcp -- anywhere anywhere tcp dpt:auth
reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:auth
reject-with icmp-port-unreachable
DROP udp -- anywhere anywhere multiport dports
netbios-ns,netbios-dgm
DROP udp -- anywhere 255.255.255.255
ACCEPT udp -- anywhere anywhere udp spt:domain
dpts:1023:65535
ACCEPT tcp -- anywhere anywhere tcp
dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
dpts:login:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:ssh
state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp
spts:1023:65535 dpt:ftp state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports
ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport dports
ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
dpt:ftp-data
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
dpt:domain
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
dpt:ftp-data
ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
dpt:domain
ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp redirect
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp type 30
ACCEPT icmp -- anywhere anywhere icmp
echo-request
DROP icmp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp
dpts:traceroute:33523
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
dpt:ftp-data
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
dpt:domain
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
dpt:ftp-data
ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
dpt:domain
DROP tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN state NEW
UDP_POL udp -- anywhere anywhere
TCP_POL tcp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUT_UNCLEAN all -- anywhere anywhere unclean
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp
flags:FIN,RST/FIN,RST
DROP tcp -- anywhere anywhere tcp
flags:FIN,ACK/FIN
DROP tcp -- anywhere anywhere tcp
flags:PSH,ACK/PSH
DROP tcp -- anywhere anywhere tcp
flags:ACK,URG/URG
FUDP udp -f anywhere anywhere
PZ udp -- anywhere anywhere udp dpt:0
PZ tcp -- anywhere anywhere tcp dpt:0
ACCEPT udp -- anywhere anywhere udp
spts:1023:65535 dpt:domain
ACCEPT tcp -- anywhere anywhere tcp
dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp
dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp
dpts:1023:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports
ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport dports
ftp,ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
dpt:ftp-data
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
dpts:1000:40000
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
dpt:ftp-data
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
dpt:domain
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
dpt:ftp-data
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
dpts:1000:40000
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
dpt:ftp-data
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
dpt:domain
DROP tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp
flags:!SYN,RST,ACK/SYN state NEW
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FUDP (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `** UDP Frag **'
DROP all -- anywhere anywhere
Chain IN_UNCLEAN (1 references)
target prot opt source destination
UNCLEAN all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `** UNCLEAN ** '
Chain LA (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning
ACCEPT all -- anywhere anywhere
Chain LD (4 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning
DROP all -- anywhere anywhere
Chain OUT_UNCLEAN (1 references)
target prot opt source destination
UNCLEAN all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning prefix `** UNCLEAN ** '
Chain PZ (4 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `** Port Zero **'
DROP all -- anywhere anywhere
Chain SANITY (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain SSH_LOG (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `** SSH ** '
Chain STATE (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- anywhere anywhere
Chain TCP_POL (1 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 1/sec
burst 5 LOG level warning prefix `** TCP DROP ** '
DROP all -- anywhere anywhere
Chain TELNET_LOG (1 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning prefix `** TELNET ** '
Chain UDP_POL (1 references)
target prot opt source destination
LOG udp -- anywhere anywhere limit: avg 1/sec
burst 5 LOG level warning prefix `** UDP DROP ** '
DROP all -- anywhere anywhere
Chain UNCLEAN (2 references)
target prot opt source destination
DROP all -- anywhere anywhere
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: FTP SERVER ACCESS
2003-10-25 20:59 ` Mark E. Donaldson
@ 2003-10-26 13:07 ` jose nuno neto
0 siblings, 0 replies; 3+ messages in thread
From: jose nuno neto @ 2003-10-26 13:07 UTC (permalink / raw)
To: markee; +Cc: netfilter
Hi,
this is the output of lsmod
ipt_mark 1216 1 (autoclean)
ipt_MARK 1632 13 (autoclean)
ipt_TOS 1856 6 (autoclean)
iptable_mangle 3040 1
ipt_multiport 1440 7
ip_conntrack_ftp 5088 0 (unused)
ip_conntrack_irc 4256 0 (unused)
ipt_REJECT 4000 2
ipt_LOG 4384 10
ipt_limit 1728 2
ipt_state 1344 20
ip_conntrack 26100 3 [ip_conntrack_ftp ip_conntrack_irc
ipt_state]
ipt_unclean 7872 2
iptable_filter 2528 1
ip_tables 13760 11 [ipt_mark ipt_MARK ipt_TOS
iptable_mangle ipt_multiport ipt_REJECT ipt_LOG ipt_limit ipt_state
ipt_unclean iptable_filter]
it shoes unused for ip_conntrack_ftp is this good?
On Sat, 2003-10-25 at 21:59, Mark E. Donaldson wrote:
> FTP is one of the most difficult protocols to get through a firewall. To
> begin with, are you using the netfilter ftp connection tracking module?
> $MODPROBE ip_conntrack_ftp
>
> Start with this. If you need more help let me know.
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Jose Nuno Neto
> Sent: Friday, October 24, 2003 7:15 AM
> To: netfilter@lists.netfilter.org
> Subject: FTP SERVER ACCESS
>
>
> Hi,
>
> I have a friewall script from
> http://www.rfxnetworks.com/apf.php
>
> I've followed intructions and have access to everythin i wnat except for
> FTP Server
> Can anyone point what ports/action must i do?
>
> thanx
>
> -------------------------------------------
>
> iptables -L
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> IN_UNCLEAN all -- anywhere anywhere unclean
> ACCEPT all -- anywhere anywhere
> TELNET_LOG tcp -- anywhere anywhere tcp dpt:telnet
> state NEW
> SSH_LOG tcp -- anywhere anywhere tcp dpt:ssh
> state NEW
> DROP all -- 1.0.0.0/8 anywhere
> DROP all -- 2.0.0.0/8 anywhere
> DROP all -- 5.0.0.0/8 anywhere
> DROP all -- 7.0.0.0/8 anywhere
> DROP all -- 23.0.0.0/8 anywhere
> DROP all -- 27.0.0.0/8 anywhere
> DROP all -- 31.0.0.0/8 anywhere
> DROP all -- 36.0.0.0/8 anywhere
> DROP all -- 37.0.0.0/8 anywhere
> DROP all -- 39.0.0.0/8 anywhere
> DROP all -- 41.0.0.0/8 anywhere
> DROP all -- 42.0.0.0/8 anywhere
> DROP all -- 58.0.0.0/8 anywhere
> DROP all -- 59.0.0.0/8 anywhere
> DROP all -- 60.0.0.0/8 anywhere
> DROP all -- 70.0.0.0/8 anywhere
> DROP all -- 71.0.0.0/8 anywhere
> DROP all -- 72.0.0.0/8 anywhere
> DROP all -- 73.0.0.0/8 anywhere
> DROP all -- 74.0.0.0/8 anywhere
> DROP all -- 75.0.0.0/8 anywhere
> DROP all -- 76.0.0.0/8 anywhere
> DROP all -- 77.0.0.0/8 anywhere
> DROP all -- 78.0.0.0/8 anywhere
> DROP all -- 78.0.0.0/8 anywhere
> DROP all -- 79.0.0.0/8 anywhere
> DROP all -- 83.0.0.0/8 anywhere
> DROP all -- 84.0.0.0/8 anywhere
> DROP all -- 85.0.0.0/8 anywhere
> DROP all -- 86.0.0.0/8 anywhere
> DROP all -- 87.0.0.0/8 anywhere
> DROP all -- 88.0.0.0/8 anywhere
> DROP all -- 89.0.0.0/8 anywhere
> DROP all -- 90.0.0.0/8 anywhere
> DROP all -- 91.0.0.0/8 anywhere
> DROP all -- 92.0.0.0/8 anywhere
> DROP all -- 93.0.0.0/8 anywhere
> DROP all -- 94.0.0.0/8 anywhere
> DROP all -- 95.0.0.0/8 anywhere
> DROP all -- 96.0.0.0/8 anywhere
> DROP all -- 97.0.0.0/8 anywhere
> DROP all -- 98.0.0.0/8 anywhere
> DROP all -- 99.0.0.0/8 anywhere
> DROP all -- 100.0.0.0/8 anywhere
> DROP all -- 101.0.0.0/8 anywhere
> DROP all -- 102.0.0.0/8 anywhere
> DROP all -- 103.0.0.0/8 anywhere
> DROP all -- 104.0.0.0/8 anywhere
> DROP all -- 105.0.0.0/8 anywhere
> DROP all -- 106.0.0.0/8 anywhere
> DROP all -- 107.0.0.0/8 anywhere
> DROP all -- 108.0.0.0/8 anywhere
> DROP all -- 109.0.0.0/8 anywhere
> DROP all -- 110.0.0.0/8 anywhere
> DROP all -- 111.0.0.0/8 anywhere
> DROP all -- 112.0.0.0/8 anywhere
> DROP all -- 113.0.0.0/8 anywhere
> DROP all -- 114.0.0.0/8 anywhere
> DROP all -- 115.0.0.0/8 anywhere
> DROP all -- 116.0.0.0/8 anywhere
> DROP all -- 117.0.0.0/8 anywhere
> DROP all -- 118.0.0.0/8 anywhere
> DROP all -- 119.0.0.0/8 anywhere
> DROP all -- 120.0.0.0/8 anywhere
> DROP all -- 121.0.0.0/8 anywhere
> DROP all -- 122.0.0.0/8 anywhere
> DROP all -- 123.0.0.0/8 anywhere
> DROP all -- 124.0.0.0/8 anywhere
> DROP all -- 124.0.0.0/8 anywhere
> DROP all -- 125.0.0.0/8 anywhere
> DROP all -- 126.0.0.0/8 anywhere
> DROP all -- 128.66.0.0/16 anywhere
> DROP all -- 172.16.0.0/12 anywhere
> DROP all -- 197.0.0.0/8 anywhere
> DROP all -- 221.0.0.0/8 anywhere
> DROP all -- 222.0.0.0/8 anywhere
> DROP all -- 223.0.0.0/8 anywhere
> DROP all -- 240.0.0.0/4 anywhere
> DROP tcp -- anywhere anywhere multiport dports
> smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274
> 44,31335
> DROP udp -- anywhere anywhere multiport dports
> smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274
> 44,31335
> DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
> DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
> LD all -- 255.255.255.255 anywhere
> LD all -- anywhere 0.0.0.0
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN/FIN,SYN
> DROP tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,RST/FIN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,ACK/FIN
> DROP tcp -- anywhere anywhere tcp
> flags:PSH,ACK/PSH
> DROP tcp -- anywhere anywhere tcp
> flags:ACK,URG/URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN
> DROP all -- anywhere anywhere state INVALID
> DROP tcp -- anywhere anywhere tcp option=64
> DROP tcp -- anywhere anywhere tcp option=128
> FUDP udp -f anywhere anywhere
> PZ udp -- anywhere anywhere udp dpt:0
> PZ tcp -- anywhere anywhere tcp dpt:0
> REJECT tcp -- anywhere anywhere tcp dpt:auth
> reject-with icmp-port-unreachable
> REJECT udp -- anywhere anywhere udp dpt:auth
> reject-with icmp-port-unreachable
> DROP udp -- anywhere anywhere multiport dports
> netbios-ns,netbios-dgm
> DROP udp -- anywhere 255.255.255.255
> ACCEPT udp -- anywhere anywhere udp spt:domain
> dpts:1023:65535
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp spt:ssh
> dpts:login:65535 state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp dpt:ssh
> state ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp
> spts:1023:65535 dpt:ftp state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:ftp-data
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:domain
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:ftp-data
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:domain
> ACCEPT icmp -- anywhere anywhere icmp
> destination-unreachable
> ACCEPT icmp -- anywhere anywhere icmp redirect
> ACCEPT icmp -- anywhere anywhere icmp
> time-exceeded
> ACCEPT icmp -- anywhere anywhere icmp echo-reply
> ACCEPT icmp -- anywhere anywhere icmp type 30
> ACCEPT icmp -- anywhere anywhere icmp
> echo-request
> DROP icmp -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp
> dpts:traceroute:33523
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:ftp-data
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:domain
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:ftp-data
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:domain
> DROP tcp -- anywhere anywhere tcp
> flags:!SYN,RST,ACK/SYN state NEW
> UDP_POL udp -- anywhere anywhere
> TCP_POL tcp -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> OUT_UNCLEAN all -- anywhere anywhere unclean
> ACCEPT all -- anywhere anywhere
> DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
> DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
> LD all -- 255.255.255.255 anywhere
> LD all -- anywhere 0.0.0.0
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN/FIN,SYN
> DROP tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,RST/FIN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,ACK/FIN
> DROP tcp -- anywhere anywhere tcp
> flags:PSH,ACK/PSH
> DROP tcp -- anywhere anywhere tcp
> flags:ACK,URG/URG
> FUDP udp -f anywhere anywhere
> PZ udp -- anywhere anywhere udp dpt:0
> PZ tcp -- anywhere anywhere tcp dpt:0
> ACCEPT udp -- anywhere anywhere udp
> spts:1023:65535 dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp spt:ftp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpt:ftp-data
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpts:1000:40000
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:ftp-data
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:domain
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpt:ftp-data
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpts:1000:40000
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:ftp-data
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:domain
> DROP tcp -- anywhere anywhere tcp
> flags:!SYN,RST,ACK/SYN state NEW
> DROP tcp -- anywhere anywhere tcp
> flags:!SYN,RST,ACK/SYN state NEW
> ACCEPT icmp -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain FUDP (2 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** UDP Frag **'
> DROP all -- anywhere anywhere
>
> Chain IN_UNCLEAN (1 references)
> target prot opt source destination
> UNCLEAN all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `** UNCLEAN ** '
>
> Chain LA (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning
> ACCEPT all -- anywhere anywhere
>
> Chain LD (4 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning
> DROP all -- anywhere anywhere
>
> Chain OUT_UNCLEAN (1 references)
> target prot opt source destination
> UNCLEAN all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `** UNCLEAN ** '
>
> Chain PZ (4 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** Port Zero **'
> DROP all -- anywhere anywhere
>
> Chain SANITY (0 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain SSH_LOG (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** SSH ** '
>
> Chain STATE (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state NEW
> DROP all -- anywhere anywhere
>
> Chain TCP_POL (1 references)
> target prot opt source destination
> LOG tcp -- anywhere anywhere limit: avg 1/sec
> burst 5 LOG level warning prefix `** TCP DROP ** '
> DROP all -- anywhere anywhere
>
> Chain TELNET_LOG (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** TELNET ** '
>
> Chain UDP_POL (1 references)
> target prot opt source destination
> LOG udp -- anywhere anywhere limit: avg 1/sec
> burst 5 LOG level warning prefix `** UDP DROP ** '
> DROP all -- anywhere anywhere
>
> Chain UNCLEAN (2 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-10-26 13:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-24 14:14 FTP SERVER ACCESS José Nuno Neto
2003-10-25 20:59 ` Mark E. Donaldson
2003-10-26 13:07 ` jose nuno neto
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.