From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Andrew B. Cramer" Subject: Re: AW: IP_TABLES Q Date: Mon, 17 Feb 2003 11:33:48 -0600 Sender: linux-admin-owner@vger.kernel.org Message-ID: <3E50C89C.6415.C4CA454@localhost> References: <3E508A48.29474.B592241@localhost> Reply-To: andrew.cramer@cramer-ts.com Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-reply-to: <000001c2d693$d57d2400$230110ac@berlin.kade.de> Content-description: Mail message body List-Id: Content-Type: text/plain; charset="iso-8859-1" To: "Dr. Arend Wellmann" Cc: linux-admin Hi Arend, Thanks for responding. I was right in the change from 21 to 23, but=20 that had no effect for FTP. In the past, I used Linux-2.2.x with=20 IP_CHAINS. With that I had used the ip_masq_ftp module. That worked.=20 I guess what I'm looking for is what use for FTP rules and where to=20 put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP=20 responds, "425 Can't build data connection: No route to host." line=20 2, "! Retrieve of folder listing failed(0)". Again this used to work=20 with ipfwadm and then ipchains. It looks like it is not being=20 handled. Thanks - Andrew On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote: > Hi! > your script closed port 21 (ftp) where you meant to close telnet (23 = is > indeed the right port). > However, I'd recommend you'll use a edicated proxy-server for http an= d > ftp because your firewall-script allows any connetion from anywhere t= o > your network. > Hope it helps, > Arend Wellmann=20 >=20 > -----Urspr=FCngliche Nachricht----- > Von: linux-admin-owner@vger.kernel.org > [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew B. > Cramer > Gesendet: Montag, 17. Februar 2003 14:08 > An: linux-admin > Betreff: IP_TABLES Q >=20 >=20 >=20 > Hi All, > Please look at this and explain where I make the mistake that > none=20 > of the workstations Masq'd are able to establish a FTP session.=20 > Telnet, email, and web browsing work just fine.=20 >=20 > TIA - Andrew Cramer >=20 > >=20 > #!/bin/sh > # > # rc.firewall-2.4 > FWVER=3D0.70 > # > # Thanks to David Ranch's IPMasq HowTo > # Initial SIMPLE IP Masquerade test for 2.4.x kernels > # using IPTABLES. > # >=20 > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" >=20 > IPTABLES=3D/usr/sbin/iptables > DEPMOD=3D/sbin/depmod > INSMOD=3D/sbin/insmod >=20 > EXTIP=3D"xxx.yyy.zzz.1" # your external IP here. > EXTIF=3D"ppp0" > INTIF=3D"eth0" >=20 > echo " External Interface: $EXTIF" > echo " Internal Interface: $INTIF" > echo -en " loading modules: " > echo " - Verifying that all kernel modules are ok" > $DEPMOD -a >=20 > echo "---------------------------------------------------------------= - > ------" > echo -en "ip_tables, " >=20 > $INSMOD ip_tables >=20 > echo -en "ip_conntrack, " > $INSMOD ip_conntrack >=20 > echo -en "iptable_nat, " > $INSMOD iptable_nat >=20 > echo "---------------------------------------------------------------= - > ------" >=20 > echo ". Done loading modules." >=20 > echo " enabling forwarding.." > echo "1" > /proc/sys/net/ipv4/ip_forward >=20 > echo " clearing any existing rules and setting default policy.." > $IPTABLES -P INPUT ACCEPT > $IPTABLES -F INPUT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -F OUTPUT > $IPTABLES -P FORWARD ACCEPT > $IPTABLES -F FORWARD > $IPTABLES -t nat -F >=20 > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT >=20 > # Reject telnet sessions from outside (Shouldn't it be 23 ?!?) > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -j REJECT >=20 > # Forward HTTPS requests (change the port number to suit yourself) > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state=20 > \ > --state NEW,ESTABLISHED,RELATED -j ACCEPT >=20 > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \ > -j DNAT --to 192.168.1.1:443 >=20 > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \ > -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1 >=20 > echo " FWD: Allow all connections OUT and only existing and related= =20 > ones IN" > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state=20 > ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > $IPTABLES -A FORWARD -j LOG >=20 > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE >=20 > echo -e "\nrc.firewall-2.4 v$FWVER done.\n" >=20 > > root@home:/etc/rc.d# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp=20 > dpt:smtp > ACCEPT tcp -- anywhere anywhere tcp=20 > dpt:pop3 > REJECT tcp -- anywhere anywhere tcp=20 > dpt:ftp reject-with icmp-port-unreachable >=20 > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp=20 > dpt:https state NEW,RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state=20 > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > LOG all -- anywhere anywhere LOG level= =20 > warning >=20 > Chain OUTPUT (policy ACCEPT) > target prot opt source destination >=20 >=20 >=20 >=20 > - > To unsubscribe from this list: send the line "unsubscribe linux-admin= " > in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >=20 - To unsubscribe from this list: send the line "unsubscribe linux-admin" = in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html