IP_TABLES Q

IP_TABLES Q

[Andrew B. Cramer]

Hi All,
	Please look at this and explain where I make the mistake that none 
of the workstations Masq'd are able to establish a FTP session. 
Telnet, email, and web browsing work just fine. 

TIA - Andrew Cramer

<ip_tables commands>

#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.70
#
# Thanks to David Ranch's IPMasq HowTo
#               Initial SIMPLE IP Masquerade test for 2.4.x kernels
#               using IPTABLES.
#

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"

IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

EXTIP="xxx.yyy.zzz.1" # your external IP here.
EXTIF="ppp0"
INTIF="eth0"

echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
echo -en "   loading modules: "
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo "----------------------------------------------------------------
------"
echo -en "ip_tables, "

$INSMOD ip_tables

echo -en "ip_conntrack, "
$INSMOD ip_conntrack

echo -en "iptable_nat, "
$INSMOD iptable_nat

echo "----------------------------------------------------------------
------"

echo ".  Done loading modules."

echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT

# Reject telnet sessions from outside (Shouldn't it be 23 ?!?)
$IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21   -j REJECT

# Forward HTTPS requests  (change the port number to suit yourself)
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state 
\
   --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \
   -j DNAT --to 192.168.1.1:443

$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \
    -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1

echo "   FWD: Allow all connections OUT and only existing and related 
ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

<ip_tables Listing>
root@home:/etc/rc.d# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp 
dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp 
dpt:pop3
REJECT     tcp  --  anywhere             anywhere           tcp 
dpt:ftp reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp 
dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state 
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level 
warning

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Re: AW: IP_TABLES Q

[Andrew B. Cramer]

Hi Arend,
	Thanks for responding. I was right in the change from 21 to 23, but 
that had no effect for FTP. In the past, I used Linux-2.2.x with 
IP_CHAINS. With that I had used the ip_masq_ftp module. That worked. 
I guess what I'm looking for is what use for FTP rules and where to 
put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP 
responds, "425 Can't build data connection: No route to host." line 
2, "! Retrieve of folder listing failed(0)". Again this used to work 
with ipfwadm and then ipchains. It looks like it is not being 
handled.

Thanks - Andrew

On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote:

> Hi!
> your script closed port 21 (ftp) where you meant to close telnet (23 is
> indeed the right port).
> However, I'd recommend you'll use a edicated proxy-server for http and
> ftp because your firewall-script allows any connetion from anywhere to
> your network.
> Hope it helps,
> Arend Wellmann 
> 
> -----Ursprüngliche Nachricht-----
> Von: linux-admin-owner@vger.kernel.org
> [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew B.
> Cramer
> Gesendet: Montag, 17. Februar 2003 14:08
> An: linux-admin
> Betreff: IP_TABLES Q
> 
> 
> 
> Hi All,
> 	Please look at this and explain where I make the mistake that
> none 
> of the workstations Masq'd are able to establish a FTP session. 
> Telnet, email, and web browsing work just fine. 
> 
> TIA - Andrew Cramer
> 
> <ip_tables commands>
> 
> #!/bin/sh
> #
> # rc.firewall-2.4
> FWVER=0.70
> #
> # Thanks to David Ranch's IPMasq HowTo
> #               Initial SIMPLE IP Masquerade test for 2.4.x kernels
> #               using IPTABLES.
> #
> 
> echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
> 
> IPTABLES=/usr/sbin/iptables
> DEPMOD=/sbin/depmod
> INSMOD=/sbin/insmod
> 
> EXTIP="xxx.yyy.zzz.1" # your external IP here.
> EXTIF="ppp0"
> INTIF="eth0"
> 
> echo "   External Interface:  $EXTIF"
> echo "   Internal Interface:  $INTIF"
> echo -en "   loading modules: "
> echo "  - Verifying that all kernel modules are ok"
> $DEPMOD -a
> 
> echo "----------------------------------------------------------------
> ------"
> echo -en "ip_tables, "
> 
> $INSMOD ip_tables
> 
> echo -en "ip_conntrack, "
> $INSMOD ip_conntrack
> 
> echo -en "iptable_nat, "
> $INSMOD iptable_nat
> 
> echo "----------------------------------------------------------------
> ------"
> 
> echo ".  Done loading modules."
> 
> echo "   enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> echo "   clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
> 
> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> 
> # Reject telnet sessions from outside (Shouldn't it be 23 ?!?)
> $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21   -j REJECT
> 
> # Forward HTTPS requests  (change the port number to suit yourself)
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state 
> \
>    --state NEW,ESTABLISHED,RELATED -j ACCEPT
> 
> $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \
>    -j DNAT --to 192.168.1.1:443
> 
> $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \
>     -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1
> 
> echo "   FWD: Allow all connections OUT and only existing and related 
> ones IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
> 
> echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> 
> echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> 
> <ip_tables Listing>
> root@home:/etc/rc.d# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> dpt:smtp
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> dpt:pop3
> REJECT     tcp  --  anywhere             anywhere           tcp 
> dpt:ftp reject-with icmp-port-unreachable
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     tcp  --  anywhere             anywhere           tcp 
> dpt:https state NEW,RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere           state 
> RELATED,ESTABLISHED
> ACCEPT     all  --  anywhere             anywhere
> LOG        all  --  anywhere             anywhere           LOG level 
> warning
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 



-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: AW: IP_TABLES Q

[Andrew B. Cramer]

Hi Bart,
	In the interim, I did add for ports 20 & 21. same thing. Even Windoz 
FTP gives the same message. Here is a segment from my new script.

Thanks - Andrew

<snip>
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT

# Try this for FTP (ABC) - Did not work
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT 
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT 

# Reject telnet sessions from outside (Changed from 21 to 23)(ABC)
$IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23   -j REJECT
</snip>

On 17 Feb 2003 at 17:58, Bart E. Hawley Sr. wrote:

> On Mon, 2003-02-17 at 11:33, Andrew B. Cramer wrote:
> > 
> > Hi Arend,
> > 	Thanks for responding. I was right in the change from 21 to 23, but 
> > that had no effect for FTP. In the past, I used Linux-2.2.x with 
> > IP_CHAINS. With that I had used the ip_masq_ftp module. That worked. 
> > I guess what I'm looking for is what use for FTP rules and where to 
> > put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP 
> > responds, "425 Can't build data connection: No route to host." line 
> > 2, "! Retrieve of folder listing failed(0)". Again this used to work 
> > with ipfwadm and then ipchains. It looks like it is not being 
> > handled.
> >
> 
>  
> >From what I see in your error message you need to also open the FTP data
> port - port 20 - to get the information through or try setting the
> client to passive mode.
> 
> Bart
> > Thanks - Andrew
> > 
> > On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote:
> > 
> > > Hi!
> > > your script closed port 21 (ftp) where you meant to close telnet (23 is
> > > indeed the right port).
> > > However, I'd recommend you'll use a edicated proxy-server for http and
> > > ftp because your firewall-script allows any connetion from anywhere to
> > > your network.
> > > Hope it helps,
> > > Arend Wellmann 
> > > 
> > > -----Ursprüngliche Nachricht-----
> > > Von: linux-admin-owner@vger.kernel.org
> > > [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew B.
> > > Cramer
> > > Gesendet: Montag, 17. Februar 2003 14:08
> > > An: linux-admin
> > > Betreff: IP_TABLES Q
> > > 
> > > 
> > > 
> > > Hi All,
> > > 	Please look at this and explain where I make the mistake that
> > > none 
> > > of the workstations Masq'd are able to establish a FTP session. 
> > > Telnet, email, and web browsing work just fine. 
> > > 
> > > TIA - Andrew Cramer
> > > 
> > > <ip_tables commands>
> > > 
> > > #!/bin/sh
> > > #
> > > # rc.firewall-2.4
> > > FWVER=0.70
> > > #
> > > # Thanks to David Ranch's IPMasq HowTo
> > > #               Initial SIMPLE IP Masquerade test for 2.4.x kernels
> > > #               using IPTABLES.
> > > #
> > > 
> > > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
> > > 
> > > IPTABLES=/usr/sbin/iptables
> > > DEPMOD=/sbin/depmod
> > > INSMOD=/sbin/insmod
> > > 
> > > EXTIP="xxx.yyy.zzz.1" # your external IP here.
> > > EXTIF="ppp0"
> > > INTIF="eth0"
> > > 
> > > echo "   External Interface:  $EXTIF"
> > > echo "   Internal Interface:  $INTIF"
> > > echo -en "   loading modules: "
> > > echo "  - Verifying that all kernel modules are ok"
> > > $DEPMOD -a
> > > 
> > > echo "----------------------------------------------------------------
> > > ------"
> > > echo -en "ip_tables, "
> > > 
> > > $INSMOD ip_tables
> > > 
> > > echo -en "ip_conntrack, "
> > > $INSMOD ip_conntrack
> > > 
> > > echo -en "iptable_nat, "
> > > $INSMOD iptable_nat
> > > 
> > > echo "----------------------------------------------------------------
> > > ------"
> > > 
> > > echo ".  Done loading modules."
> > > 
> > > echo "   enabling forwarding.."
> > > echo "1" > /proc/sys/net/ipv4/ip_forward
> > > 
> > > echo "   clearing any existing rules and setting default policy.."
> > > $IPTABLES -P INPUT ACCEPT
> > > $IPTABLES -F INPUT
> > > $IPTABLES -P OUTPUT ACCEPT
> > > $IPTABLES -F OUTPUT
> > > $IPTABLES -P FORWARD ACCEPT
> > > $IPTABLES -F FORWARD
> > > $IPTABLES -t nat -F
> > > 
> > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
> > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> > > 
> > > # Reject telnet sessions from outside (Shouldn't it be 23 ?!?)
> > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21   -j REJECT
> > > 
> > > # Forward HTTPS requests  (change the port number to suit yourself)
> > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state 
> > > \
> > >    --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > > 
> > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \
> > >    -j DNAT --to 192.168.1.1:443
> > > 
> > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \
> > >     -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1
> > > 
> > > echo "   FWD: Allow all connections OUT and only existing and related 
> > > ones IN"
> > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> > > ESTABLISHED,RELATED -j ACCEPT
> > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > > $IPTABLES -A FORWARD -j LOG
> > > 
> > > echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> > > 
> > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> > > 
> > > <ip_tables Listing>
> > > root@home:/etc/rc.d# iptables -L
> > > Chain INPUT (policy ACCEPT)
> > > target     prot opt source               destination
> > > ACCEPT     tcp  --  anywhere             anywhere           tcp 
> > > dpt:smtp
> > > ACCEPT     tcp  --  anywhere             anywhere           tcp 
> > > dpt:pop3
> > > REJECT     tcp  --  anywhere             anywhere           tcp 
> > > dpt:ftp reject-with icmp-port-unreachable
> > > 
> > > Chain FORWARD (policy ACCEPT)
> > > target     prot opt source               destination
> > > ACCEPT     tcp  --  anywhere             anywhere           tcp 
> > > dpt:https state NEW,RELATED,ESTABLISHED
> > > ACCEPT     all  --  anywhere             anywhere           state 
> > > RELATED,ESTABLISHED
> > > ACCEPT     all  --  anywhere             anywhere
> > > LOG        all  --  anywhere             anywhere           LOG level 
> > > warning
> > > 
> > > Chain OUTPUT (policy ACCEPT)
> > > target     prot opt source               destination
> > > 
> > > 
> > > 
> > > 
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-admin"
> > > in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > 
> > 
> > 
> > 
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> 
> 



-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: AW: IP_TABLES Q

[Glynn Clements]

Andrew B. Cramer wrote:

> 	In the interim, I did add for ports 20 & 21. same thing. Even Windoz 
> FTP gives the same message. Here is a segment from my new script.
> 
> Thanks - Andrew
> 
> <snip>
> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> 
> # Try this for FTP (ABC) - Did not work
> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT 
> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT 
> 
> # Reject telnet sessions from outside (Changed from 21 to 23)(ABC)
> $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23   -j REJECT </snip>

I believe that you need to use the ip_conntrack_ftp module to track
the ports which are used. Note: I don't know the specifics of how to
use it, but I'm pretty sure that this is the right module.

The traditional mechanism for establishing the data channel is to have
the client create a listening socket on a randomly-numbered port. The
client sends the IP address and port number to the server, which then
makes an inbound (server -> client) connection.

To allow this through the firewall, you have to either:

1. Allow all inbound TCP connections to unprivileged ports (>1024). 
While you could filter with "--source-port 20", this doesn't really
buy you anything; hack attempts often use port 20 to get through
firewalls which are [mis]configured in this way.

2. Have some code which monitors the traffic sent over the control
channel, looking for the PORT commands (this is what ip_masq_ftp and
ip_conntrack_ftp do), and enables inbound TCP connections on those
ports.

However, if at all practical, you should forego the traditional
("active") mode of FTP in favour of passive mode. Here, all
connections are outbound (client -> server).

For the standard "ftp" program, use the "passive" command (either
interactively, or via ~/.netrc); GUI FTP clients typically have a
"passive mode" check-box; Web browsers normally use passive mode
automatically.

Nowadays, the main reason for supporting "active" FTP is if you have
no choice, e.g. you are answerable to people who simply demand it.

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: AW: IP_TABLES Q

[Andrew B. Cramer]

Hi Bart,
	Still no good. I'll keep trying, and accept any ideas.

- Andrew

<snip>
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT

# Try this for FTP (ABC) - Did not work
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT 
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT 
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 20 -j ACCEPT 
$IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 21 -j ACCEPT 
</snip>

On 17 Feb 2003 at 19:07, Bart E. Hawley Sr. wrote:

> On Mon, 2003-02-17 at 18:31, Andrew B. Cramer wrote:
> > 
> > Hi Bart,
> > 	In the interim, I did add for ports 20 & 21. same thing. Even Windoz 
> > FTP gives the same message. Here is a segment from my new script.
> > 
> > Thanks - Andrew
> > 
> > <snip>
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> > 
> Hi Andrew,
> 
> Sorry I didn't read down to the protocols so I missed that earlier. You
> need to set it for both protocols - TCP and UDP 
> The following is from IANA port assignments.
> 
> ftp-data         20/tcp    File Transfer [Default Data]
> ftp-data         20/udp    File Transfer [Default Data]
> ftp              21/tcp    File Transfer [Control]
> ftp              21/udp    File Transfer [Control]
> 
> Bart
> 
> > # Try this for FTP (ABC) - Did not work
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT 
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT 
> > 
> > # Reject telnet sessions from outside (Changed from 21 to 23)(ABC)
> > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23   -j REJECT
> > </snip>
> > 
> > On 17 Feb 2003 at 17:58, Bart E. Hawley Sr. wrote:
> > 
> > > On Mon, 2003-02-17 at 11:33, Andrew B. Cramer wrote:
> > > > 
> > > > Hi Arend,
> > > > 	Thanks for responding. I was right in the change from 21 to 23, but 
> > > > that had no effect for FTP. In the past, I used Linux-2.2.x with 
> > > > IP_CHAINS. With that I had used the ip_masq_ftp module. That worked. 
> > > > I guess what I'm looking for is what use for FTP rules and where to 
> > > > put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP 
> > > > responds, "425 Can't build data connection: No route to host." line 
> > > > 2, "! Retrieve of folder listing failed(0)". Again this used to work 
> > > > with ipfwadm and then ipchains. It looks like it is not being 
> > > > handled.
> > > >
> > > 
> > >  
> > > >From what I see in your error message you need to also open the FTP data
> > > port - port 20 - to get the information through or try setting the
> > > client to passive mode.
> > > 
> > > Bart
> > > > Thanks - Andrew
> > > > 
> > > > On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote:
> > > > 
> > > > > Hi!
> > > > > your script closed port 21 (ftp) where you meant to close telnet (23 is
> > > > > indeed the right port).
> > > > > However, I'd recommend you'll use a edicated proxy-server for http and
> > > > > ftp because your firewall-script allows any connetion from anywhere to
> > > > > your network.
> > > > > Hope it helps,
> > > > > Arend Wellmann 
> > > > > 
> > > > > -----Ursprüngliche Nachricht-----
> > > > > Von: linux-admin-owner@vger.kernel.org
> > > > > [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew B.
> > > > > Cramer
> > > > > Gesendet: Montag, 17. Februar 2003 14:08
> > > > > An: linux-admin
> > > > > Betreff: IP_TABLES Q
> > > > > 
> > > > > 
> > > > > 
> > > > > Hi All,
> > > > > 	Please look at this and explain where I make the mistake that
> > > > > none 
> > > > > of the workstations Masq'd are able to establish a FTP session. 
> > > > > Telnet, email, and web browsing work just fine. 
> > > > > 
> > > > > TIA - Andrew Cramer
> > > > > 
> > > > > <ip_tables commands>
> > > > > 
> > > > > #!/bin/sh
> > > > > #
> > > > > # rc.firewall-2.4
> > > > > FWVER=0.70
> > > > > #
> > > > > # Thanks to David Ranch's IPMasq HowTo
> > > > > #               Initial SIMPLE IP Masquerade test for 2.4.x kernels
> > > > > #               using IPTABLES.
> > > > > #
> > > > > 
> > > > > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
> > > > > 
> > > > > IPTABLES=/usr/sbin/iptables
> > > > > DEPMOD=/sbin/depmod
> > > > > INSMOD=/sbin/insmod
> > > > > 
> > > > > EXTIP="xxx.yyy.zzz.1" # your external IP here.
> > > > > EXTIF="ppp0"
> > > > > INTIF="eth0"
> > > > > 
> > > > > echo "   External Interface:  $EXTIF"
> > > > > echo "   Internal Interface:  $INTIF"
> > > > > echo -en "   loading modules: "
> > > > > echo "  - Verifying that all kernel modules are ok"
> > > > > $DEPMOD -a
> > > > > 
> > > > > echo "----------------------------------------------------------------
> > > > > ------"
> > > > > echo -en "ip_tables, "
> > > > > 
> > > > > $INSMOD ip_tables
> > > > > 
> > > > > echo -en "ip_conntrack, "
> > > > > $INSMOD ip_conntrack
> > > > > 
> > > > > echo -en "iptable_nat, "
> > > > > $INSMOD iptable_nat
> > > > > 
> > > > > echo "----------------------------------------------------------------
> > > > > ------"
> > > > > 
> > > > > echo ".  Done loading modules."
> > > > > 
> > > > > echo "   enabling forwarding.."
> > > > > echo "1" > /proc/sys/net/ipv4/ip_forward
> > > > > 
> > > > > echo "   clearing any existing rules and setting default policy.."
> > > > > $IPTABLES -P INPUT ACCEPT
> > > > > $IPTABLES -F INPUT
> > > > > $IPTABLES -P OUTPUT ACCEPT
> > > > > $IPTABLES -F OUTPUT
> > > > > $IPTABLES -P FORWARD ACCEPT
> > > > > $IPTABLES -F FORWARD
> > > > > $IPTABLES -t nat -F
> > > > > 
> > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
> > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> > > > > 
> > > > > # Reject telnet sessions from outside (Shouldn't it be 23 ?!?)
> > > > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21   -j REJECT
> > > > > 
> > > > > # Forward HTTPS requests  (change the port number to suit yourself)
> > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state 
> > > > > \
> > > > >    --state NEW,ESTABLISHED,RELATED -j ACCEPT
> > > > > 
> > > > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \
> > > > >    -j DNAT --to 192.168.1.1:443
> > > > > 
> > > > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \
> > > > >     -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1
> > > > > 
> > > > > echo "   FWD: Allow all connections OUT and only existing and related 
> > > > > ones IN"
> > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state 
> > > > > ESTABLISHED,RELATED -j ACCEPT
> > > > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > > > > $IPTABLES -A FORWARD -j LOG
> > > > > 
> > > > > echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > > > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> > > > > 
> > > > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
> > > > > 
> > > > > <ip_tables Listing>
> > > > > root@home:/etc/rc.d# iptables -L
> > > > > Chain INPUT (policy ACCEPT)
> > > > > target     prot opt source               destination
> > > > > ACCEPT     tcp  --  anywhere             anywhere           tcp 
> > > > > dpt:smtp
> > > > > ACCEPT     tcp  --  anywhere             anywhere           tcp 
> > > > > dpt:pop3
> > > > > REJECT     tcp  --  anywhere             anywhere           tcp 
> > > > > dpt:ftp reject-with icmp-port-unreachable
> > > > > 
> > > > > Chain FORWARD (policy ACCEPT)
> > > > > target     prot opt source               destination
> > > > > ACCEPT     tcp  --  anywhere             anywhere           tcp 
> > > > > dpt:https state NEW,RELATED,ESTABLISHED
> > > > > ACCEPT     all  --  anywhere             anywhere           state 
> > > > > RELATED,ESTABLISHED
> > > > > ACCEPT     all  --  anywhere             anywhere
> > > > > LOG        all  --  anywhere             anywhere           LOG level 
> > > > > warning
> > > > > 
> > > > > Chain OUTPUT (policy ACCEPT)
> > > > > target     prot opt source               destination
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > -
> > > > > To unsubscribe from this list: send the line "unsubscribe linux-admin"
> > > > > in
> > > > > the body of a message to majordomo@vger.kernel.org
> > > > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > > > 
> > > > 
> > > > 
> > > > 
> > > > -
> > > > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > > > the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > > > 
> > > 
> > > 
> > 
> > 
> > 
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > 
> 
> 



-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: AW: IP_TABLES Q - Solved

[Andrew B. Cramer]

Thanks Glynn & Bart!
	I did switch to 'passive' ftp and the workstations behave correctly. 
I will still try ip_conntrace_ftp when I get a chance. The bottom 
line, it's working.

Kinds Regards - Andrew Cramer

On 18 Feb 2003 at 1:04, Glynn Clements wrote:

> 
> Andrew B. Cramer wrote:
> 
> > 	In the interim, I did add for ports 20 & 21. same thing. Even Windoz 
> > FTP gives the same message. Here is a segment from my new script.
> > 
> > Thanks - Andrew
> > 
> > <snip>
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25  -j ACCEPT
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
> > 
> > # Try this for FTP (ABC) - Did not work
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT 
> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT 
> > 
> > # Reject telnet sessions from outside (Changed from 21 to 23)(ABC)
> > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23   -j REJECT </snip>
> 
> I believe that you need to use the ip_conntrack_ftp module to track
> the ports which are used. Note: I don't know the specifics of how to
> use it, but I'm pretty sure that this is the right module.
> 
> The traditional mechanism for establishing the data channel is to have
> the client create a listening socket on a randomly-numbered port. The
> client sends the IP address and port number to the server, which then
> makes an inbound (server -> client) connection.
> 
> To allow this through the firewall, you have to either:
> 
> 1. Allow all inbound TCP connections to unprivileged ports (>1024). 
> While you could filter with "--source-port 20", this doesn't really
> buy you anything; hack attempts often use port 20 to get through
> firewalls which are [mis]configured in this way.
> 
> 2. Have some code which monitors the traffic sent over the control
> channel, looking for the PORT commands (this is what ip_masq_ftp and
> ip_conntrack_ftp do), and enables inbound TCP connections on those
> ports.
> 
> However, if at all practical, you should forego the traditional
> ("active") mode of FTP in favour of passive mode. Here, all
> connections are outbound (client -> server).
> 
> For the standard "ftp" program, use the "passive" command (either
> interactively, or via ~/.netrc); GUI FTP clients typically have a
> "passive mode" check-box; Web browsers normally use passive mode
> automatically.
> 
> Nowadays, the main reason for supporting "active" FTP is if you have
> no choice, e.g. you are answerable to people who simply demand it.
> 
> -- 
> Glynn Clements <glynn.clements@virgin.net>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>