From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Andrew B. Cramer" Subject: Re: AW: IP_TABLES Q Date: Mon, 17 Feb 2003 19:18:33 -0600 Sender: linux-admin-owner@vger.kernel.org Message-ID: <3E513589.7494.DF63405@localhost> References: <3E512A8A.29147.DCB3DE7@localhost> Reply-To: andrew.cramer@cramer-ts.com Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-reply-to: <1045530465.18928.9.camel@linux> Content-description: Mail message body List-Id: Content-Type: text/plain; charset="utf-8" To: "Bart E. Hawley Sr." Cc: linux-admin Hi Bart, Still no good. I'll keep trying, and accept any ideas. - Andrew $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Try this for FTP (ABC) - Did not work $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT=20 $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT=20 $IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 20 -j ACCEPT=20 $IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 21 -j ACCEPT=20 On 17 Feb 2003 at 19:07, Bart E. Hawley Sr. wrote: > On Mon, 2003-02-17 at 18:31, Andrew B. Cramer wrote: > >=20 > > Hi Bart, > > In the interim, I did add for ports 20 & 21. same thing. Even Wind= oz=20 > > FTP gives the same message. Here is a segment from my new script. > >=20 > > Thanks - Andrew > >=20 > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT > >=20 > Hi Andrew, >=20 > Sorry I didn't read down to the protocols so I missed that earlier. Y= ou > need to set it for both protocols - TCP and UDP=20 > The following is from IANA port assignments. >=20 > ftp-data 20/tcp File Transfer [Default Data] > ftp-data 20/udp File Transfer [Default Data] > ftp 21/tcp File Transfer [Control] > ftp 21/udp File Transfer [Control] >=20 > Bart >=20 > > # Try this for FTP (ABC) - Did not work > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT=20 > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT=20 > >=20 > > # Reject telnet sessions from outside (Changed from 21 to 23)(ABC) > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23 -j REJE= CT > > > >=20 > > On 17 Feb 2003 at 17:58, Bart E. Hawley Sr. wrote: > >=20 > > > On Mon, 2003-02-17 at 11:33, Andrew B. Cramer wrote: > > > >=20 > > > > Hi Arend, > > > > Thanks for responding. I was right in the change from 21 to 23= , but=20 > > > > that had no effect for FTP. In the past, I used Linux-2.2.x wit= h=20 > > > > IP_CHAINS. With that I had used the ip_masq_ftp module. That wo= rked.=20 > > > > I guess what I'm looking for is what use for FTP rules and wher= e to=20 > > > > put them. The symptom is the client, Win2K with WS_FTP. The WS_= =46TP=20 > > > > responds, "425 Can't build data connection: No route to host." = line=20 > > > > 2, "! Retrieve of folder listing failed(0)". Again this used to= work=20 > > > > with ipfwadm and then ipchains. It looks like it is not being=20 > > > > handled. > > > > > > >=20 > > > =20 > > > >From what I see in your error message you need to also open the = =46TP data > > > port - port 20 - to get the information through or try setting th= e > > > client to passive mode. > > >=20 > > > Bart > > > > Thanks - Andrew > > > >=20 > > > > On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote: > > > >=20 > > > > > Hi! > > > > > your script closed port 21 (ftp) where you meant to close tel= net (23 is > > > > > indeed the right port). > > > > > However, I'd recommend you'll use a edicated proxy-server for= http and > > > > > ftp because your firewall-script allows any connetion from an= ywhere to > > > > > your network. > > > > > Hope it helps, > > > > > Arend Wellmann=20 > > > > >=20 > > > > > -----Urspr=C3=83=C2=BCngliche Nachricht----- > > > > > Von: linux-admin-owner@vger.kernel.org > > > > > [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von And= rew B. > > > > > Cramer > > > > > Gesendet: Montag, 17. Februar 2003 14:08 > > > > > An: linux-admin > > > > > Betreff: IP_TABLES Q > > > > >=20 > > > > >=20 > > > > >=20 > > > > > Hi All, > > > > > Please look at this and explain where I make the mistake tha= t > > > > > none=20 > > > > > of the workstations Masq'd are able to establish a FTP sessio= n.=20 > > > > > Telnet, email, and web browsing work just fine.=20 > > > > >=20 > > > > > TIA - Andrew Cramer > > > > >=20 > > > > > > > > > >=20 > > > > > #!/bin/sh > > > > > # > > > > > # rc.firewall-2.4 > > > > > FWVER=3D0.70 > > > > > # > > > > > # Thanks to David Ranch's IPMasq HowTo > > > > > # Initial SIMPLE IP Masquerade test for 2.4.x k= ernels > > > > > # using IPTABLES. > > > > > # > > > > >=20 > > > > > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" > > > > >=20 > > > > > IPTABLES=3D/usr/sbin/iptables > > > > > DEPMOD=3D/sbin/depmod > > > > > INSMOD=3D/sbin/insmod > > > > >=20 > > > > > EXTIP=3D"xxx.yyy.zzz.1" # your external IP here. > > > > > EXTIF=3D"ppp0" > > > > > INTIF=3D"eth0" > > > > >=20 > > > > > echo " External Interface: $EXTIF" > > > > > echo " Internal Interface: $INTIF" > > > > > echo -en " loading modules: " > > > > > echo " - Verifying that all kernel modules are ok" > > > > > $DEPMOD -a > > > > >=20 > > > > > echo "-------------------------------------------------------= --------- > > > > > ------" > > > > > echo -en "ip_tables, " > > > > >=20 > > > > > $INSMOD ip_tables > > > > >=20 > > > > > echo -en "ip_conntrack, " > > > > > $INSMOD ip_conntrack > > > > >=20 > > > > > echo -en "iptable_nat, " > > > > > $INSMOD iptable_nat > > > > >=20 > > > > > echo "-------------------------------------------------------= --------- > > > > > ------" > > > > >=20 > > > > > echo ". Done loading modules." > > > > >=20 > > > > > echo " enabling forwarding.." > > > > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > > >=20 > > > > > echo " clearing any existing rules and setting default poli= cy.." > > > > > $IPTABLES -P INPUT ACCEPT > > > > > $IPTABLES -F INPUT > > > > > $IPTABLES -P OUTPUT ACCEPT > > > > > $IPTABLES -F OUTPUT > > > > > $IPTABLES -P FORWARD ACCEPT > > > > > $IPTABLES -F FORWARD > > > > > $IPTABLES -t nat -F > > > > >=20 > > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j AC= CEPT > > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j AC= CEPT > > > > >=20 > > > > > # Reject telnet sessions from outside (Shouldn't it be 23 ?!?= ) > > > > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -= j REJECT > > > > >=20 > > > > > # Forward HTTPS requests (change the port number to suit you= rself) > > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -= m state=20 > > > > > \ > > > > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > > > >=20 > > > > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \ > > > > > -j DNAT --to 192.168.1.1:443 > > > > >=20 > > > > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \ > > > > > -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192= =2E168.1.1 > > > > >=20 > > > > > echo " FWD: Allow all connections OUT and only existing and= related=20 > > > > > ones IN" > > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state=20 > > > > > ESTABLISHED,RELATED -j ACCEPT > > > > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > > > > > $IPTABLES -A FORWARD -j LOG > > > > >=20 > > > > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > > > > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > > > >=20 > > > > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n" > > > > >=20 > > > > > > > > > > root@home:/etc/rc.d# iptables -L > > > > > Chain INPUT (policy ACCEPT) > > > > > target prot opt source destination > > > > > ACCEPT tcp -- anywhere anywhere t= cp=20 > > > > > dpt:smtp > > > > > ACCEPT tcp -- anywhere anywhere t= cp=20 > > > > > dpt:pop3 > > > > > REJECT tcp -- anywhere anywhere t= cp=20 > > > > > dpt:ftp reject-with icmp-port-unreachable > > > > >=20 > > > > > Chain FORWARD (policy ACCEPT) > > > > > target prot opt source destination > > > > > ACCEPT tcp -- anywhere anywhere t= cp=20 > > > > > dpt:https state NEW,RELATED,ESTABLISHED > > > > > ACCEPT all -- anywhere anywhere s= tate=20 > > > > > RELATED,ESTABLISHED > > > > > ACCEPT all -- anywhere anywhere > > > > > LOG all -- anywhere anywhere L= OG level=20 > > > > > warning > > > > >=20 > > > > > Chain OUTPUT (policy ACCEPT) > > > > > target prot opt source destination > > > > >=20 > > > > >=20 > > > > >=20 > > > > >=20 > > > > > - > > > > > To unsubscribe from this list: send the line "unsubscribe lin= ux-admin" > > > > > in > > > > > the body of a message to majordomo@vger.kernel.org > > > > > More majordomo info at http://vger.kernel.org/majordomo-info= =2Ehtml > > > > >=20 > > > >=20 > > > >=20 > > > >=20 > > > > - > > > > To unsubscribe from this list: send the line "unsubscribe linux= -admin" in > > > > the body of a message to majordomo@vger.kernel.org > > > > More majordomo info at http://vger.kernel.org/majordomo-info.h= tml > > > >=20 > > >=20 > > >=20 > >=20 > >=20 > >=20 > > - > > To unsubscribe from this list: send the line "unsubscribe linux-adm= in" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > >=20 >=20 >=20 - To unsubscribe from this list: send the line "unsubscribe linux-admin" = in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html