From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Andrew B. Cramer" Subject: Re: AW: IP_TABLES Q Date: Mon, 17 Feb 2003 18:31:38 -0600 Sender: linux-admin-owner@vger.kernel.org Message-ID: <3E512A8A.29147.DCB3DE7@localhost> References: <3E50C89C.6415.C4CA454@localhost> Reply-To: andrew.cramer@cramer-ts.com Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-reply-to: <1045526303.18928.3.camel@linux> Content-description: Mail message body List-Id: Content-Type: text/plain; charset="iso-8859-1" To: "Bart E. Hawley Sr." Cc: linux-admin Hi Bart, In the interim, I did add for ports 20 & 21. same thing. Even Windoz=20 =46TP gives the same message. Here is a segment from my new script. Thanks - Andrew $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Try this for FTP (ABC) - Did not work $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT=20 $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT=20 # Reject telnet sessions from outside (Changed from 21 to 23)(ABC) $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23 -j REJECT On 17 Feb 2003 at 17:58, Bart E. Hawley Sr. wrote: > On Mon, 2003-02-17 at 11:33, Andrew B. Cramer wrote: > >=20 > > Hi Arend, > > Thanks for responding. I was right in the change from 21 to 23, bu= t=20 > > that had no effect for FTP. In the past, I used Linux-2.2.x with=20 > > IP_CHAINS. With that I had used the ip_masq_ftp module. That worked= =2E=20 > > I guess what I'm looking for is what use for FTP rules and where to= =20 > > put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP=20 > > responds, "425 Can't build data connection: No route to host." line= =20 > > 2, "! Retrieve of folder listing failed(0)". Again this used to wor= k=20 > > with ipfwadm and then ipchains. It looks like it is not being=20 > > handled. > > >=20 > =20 > >From what I see in your error message you need to also open the FTP = data > port - port 20 - to get the information through or try setting the > client to passive mode. >=20 > Bart > > Thanks - Andrew > >=20 > > On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote: > >=20 > > > Hi! > > > your script closed port 21 (ftp) where you meant to close telnet = (23 is > > > indeed the right port). > > > However, I'd recommend you'll use a edicated proxy-server for htt= p and > > > ftp because your firewall-script allows any connetion from anywhe= re to > > > your network. > > > Hope it helps, > > > Arend Wellmann=20 > > >=20 > > > -----Urspr=C3=BCngliche Nachricht----- > > > Von: linux-admin-owner@vger.kernel.org > > > [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew = B. > > > Cramer > > > Gesendet: Montag, 17. Februar 2003 14:08 > > > An: linux-admin > > > Betreff: IP_TABLES Q > > >=20 > > >=20 > > >=20 > > > Hi All, > > > Please look at this and explain where I make the mistake that > > > none=20 > > > of the workstations Masq'd are able to establish a FTP session.=20 > > > Telnet, email, and web browsing work just fine.=20 > > >=20 > > > TIA - Andrew Cramer > > >=20 > > > > > >=20 > > > #!/bin/sh > > > # > > > # rc.firewall-2.4 > > > FWVER=3D0.70 > > > # > > > # Thanks to David Ranch's IPMasq HowTo > > > # Initial SIMPLE IP Masquerade test for 2.4.x kerne= ls > > > # using IPTABLES. > > > # > > >=20 > > > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" > > >=20 > > > IPTABLES=3D/usr/sbin/iptables > > > DEPMOD=3D/sbin/depmod > > > INSMOD=3D/sbin/insmod > > >=20 > > > EXTIP=3D"xxx.yyy.zzz.1" # your external IP here. > > > EXTIF=3D"ppp0" > > > INTIF=3D"eth0" > > >=20 > > > echo " External Interface: $EXTIF" > > > echo " Internal Interface: $INTIF" > > > echo -en " loading modules: " > > > echo " - Verifying that all kernel modules are ok" > > > $DEPMOD -a > > >=20 > > > echo "-----------------------------------------------------------= ----- > > > ------" > > > echo -en "ip_tables, " > > >=20 > > > $INSMOD ip_tables > > >=20 > > > echo -en "ip_conntrack, " > > > $INSMOD ip_conntrack > > >=20 > > > echo -en "iptable_nat, " > > > $INSMOD iptable_nat > > >=20 > > > echo "-----------------------------------------------------------= ----- > > > ------" > > >=20 > > > echo ". Done loading modules." > > >=20 > > > echo " enabling forwarding.." > > > echo "1" > /proc/sys/net/ipv4/ip_forward > > >=20 > > > echo " clearing any existing rules and setting default policy..= " > > > $IPTABLES -P INPUT ACCEPT > > > $IPTABLES -F INPUT > > > $IPTABLES -P OUTPUT ACCEPT > > > $IPTABLES -F OUTPUT > > > $IPTABLES -P FORWARD ACCEPT > > > $IPTABLES -F FORWARD > > > $IPTABLES -t nat -F > > >=20 > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT > > >=20 > > > # Reject telnet sessions from outside (Shouldn't it be 23 ?!?) > > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -j RE= JECT > > >=20 > > > # Forward HTTPS requests (change the port number to suit yoursel= f) > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m st= ate=20 > > > \ > > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > >=20 > > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \ > > > -j DNAT --to 192.168.1.1:443 > > >=20 > > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \ > > > -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168= =2E1.1 > > >=20 > > > echo " FWD: Allow all connections OUT and only existing and rel= ated=20 > > > ones IN" > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state=20 > > > ESTABLISHED,RELATED -j ACCEPT > > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > > > $IPTABLES -A FORWARD -j LOG > > >=20 > > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > >=20 > > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n" > > >=20 > > > > > > root@home:/etc/rc.d# iptables -L > > > Chain INPUT (policy ACCEPT) > > > target prot opt source destination > > > ACCEPT tcp -- anywhere anywhere tcp=20 > > > dpt:smtp > > > ACCEPT tcp -- anywhere anywhere tcp=20 > > > dpt:pop3 > > > REJECT tcp -- anywhere anywhere tcp=20 > > > dpt:ftp reject-with icmp-port-unreachable > > >=20 > > > Chain FORWARD (policy ACCEPT) > > > target prot opt source destination > > > ACCEPT tcp -- anywhere anywhere tcp=20 > > > dpt:https state NEW,RELATED,ESTABLISHED > > > ACCEPT all -- anywhere anywhere state= =20 > > > RELATED,ESTABLISHED > > > ACCEPT all -- anywhere anywhere > > > LOG all -- anywhere anywhere LOG l= evel=20 > > > warning > > >=20 > > > Chain OUTPUT (policy ACCEPT) > > > target prot opt source destination > > >=20 > > >=20 > > >=20 > > >=20 > > > - > > > To unsubscribe from this list: send the line "unsubscribe linux-a= dmin" > > > in > > > the body of a message to majordomo@vger.kernel.org > > > More majordomo info at http://vger.kernel.org/majordomo-info.htm= l > > >=20 > >=20 > >=20 > >=20 > > - > > To unsubscribe from this list: send the line "unsubscribe linux-adm= in" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > >=20 >=20 >=20 - To unsubscribe from this list: send the line "unsubscribe linux-admin" = in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html