* IP_TABLES Q
@ 2003-02-17 13:07 Andrew B. Cramer
[not found] ` <000001c2d693$d57d2400$230110ac@berlin.kade.de>
0 siblings, 1 reply; 6+ messages in thread
From: Andrew B. Cramer @ 2003-02-17 13:07 UTC (permalink / raw)
To: linux-admin
Hi All,
Please look at this and explain where I make the mistake that none
of the workstations Masq'd are able to establish a FTP session.
Telnet, email, and web browsing work just fine.
TIA - Andrew Cramer
<ip_tables commands>
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.70
#
# Thanks to David Ranch's IPMasq HowTo
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/usr/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
EXTIP="xxx.yyy.zzz.1" # your external IP here.
EXTIF="ppp0"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo -en " loading modules: "
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo "----------------------------------------------------------------
------"
echo -en "ip_tables, "
$INSMOD ip_tables
echo -en "ip_conntrack, "
$INSMOD ip_conntrack
echo -en "iptable_nat, "
$INSMOD iptable_nat
echo "----------------------------------------------------------------
------"
echo ". Done loading modules."
echo " enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT
$IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT
# Reject telnet sessions from outside (Shouldn't it be 23 ?!?)
$IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -j REJECT
# Forward HTTPS requests (change the port number to suit yourself)
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state
\
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \
-j DNAT --to 192.168.1.1:443
$IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \
-m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1
echo " FWD: Allow all connections OUT and only existing and related
ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
<ip_tables Listing>
root@home:/etc/rc.d# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp
dpt:pop3
REJECT tcp -- anywhere anywhere tcp
dpt:ftp reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
dpt:https state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
warning
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
^ permalink raw reply [flat|nested] 6+ messages in thread[parent not found: <000001c2d693$d57d2400$230110ac@berlin.kade.de>]
* Re: AW: IP_TABLES Q [not found] ` <000001c2d693$d57d2400$230110ac@berlin.kade.de> @ 2003-02-17 17:33 ` Andrew B. Cramer [not found] ` <1045526303.18928.3.camel@linux> 0 siblings, 1 reply; 6+ messages in thread From: Andrew B. Cramer @ 2003-02-17 17:33 UTC (permalink / raw) To: Dr. Arend Wellmann; +Cc: linux-admin Hi Arend, Thanks for responding. I was right in the change from 21 to 23, but that had no effect for FTP. In the past, I used Linux-2.2.x with IP_CHAINS. With that I had used the ip_masq_ftp module. That worked. I guess what I'm looking for is what use for FTP rules and where to put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP responds, "425 Can't build data connection: No route to host." line 2, "! Retrieve of folder listing failed(0)". Again this used to work with ipfwadm and then ipchains. It looks like it is not being handled. Thanks - Andrew On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote: > Hi! > your script closed port 21 (ftp) where you meant to close telnet (23 is > indeed the right port). > However, I'd recommend you'll use a edicated proxy-server for http and > ftp because your firewall-script allows any connetion from anywhere to > your network. > Hope it helps, > Arend Wellmann > > -----Ursprüngliche Nachricht----- > Von: linux-admin-owner@vger.kernel.org > [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew B. > Cramer > Gesendet: Montag, 17. Februar 2003 14:08 > An: linux-admin > Betreff: IP_TABLES Q > > > > Hi All, > Please look at this and explain where I make the mistake that > none > of the workstations Masq'd are able to establish a FTP session. > Telnet, email, and web browsing work just fine. > > TIA - Andrew Cramer > > <ip_tables commands> > > #!/bin/sh > # > # rc.firewall-2.4 > FWVER=0.70 > # > # Thanks to David Ranch's IPMasq HowTo > # Initial SIMPLE IP Masquerade test for 2.4.x kernels > # using IPTABLES. > # > > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" > > IPTABLES=/usr/sbin/iptables > DEPMOD=/sbin/depmod > INSMOD=/sbin/insmod > > EXTIP="xxx.yyy.zzz.1" # your external IP here. > EXTIF="ppp0" > INTIF="eth0" > > echo " External Interface: $EXTIF" > echo " Internal Interface: $INTIF" > echo -en " loading modules: " > echo " - Verifying that all kernel modules are ok" > $DEPMOD -a > > echo "---------------------------------------------------------------- > ------" > echo -en "ip_tables, " > > $INSMOD ip_tables > > echo -en "ip_conntrack, " > $INSMOD ip_conntrack > > echo -en "iptable_nat, " > $INSMOD iptable_nat > > echo "---------------------------------------------------------------- > ------" > > echo ". Done loading modules." > > echo " enabling forwarding.." > echo "1" > /proc/sys/net/ipv4/ip_forward > > echo " clearing any existing rules and setting default policy.." > $IPTABLES -P INPUT ACCEPT > $IPTABLES -F INPUT > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -F OUTPUT > $IPTABLES -P FORWARD ACCEPT > $IPTABLES -F FORWARD > $IPTABLES -t nat -F > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT > > # Reject telnet sessions from outside (Shouldn't it be 23 ?!?) > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -j REJECT > > # Forward HTTPS requests (change the port number to suit yourself) > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state > \ > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \ > -j DNAT --to 192.168.1.1:443 > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \ > -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1 > > echo " FWD: Allow all connections OUT and only existing and related > ones IN" > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state > ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > $IPTABLES -A FORWARD -j LOG > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n" > > <ip_tables Listing> > root@home:/etc/rc.d# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp > dpt:smtp > ACCEPT tcp -- anywhere anywhere tcp > dpt:pop3 > REJECT tcp -- anywhere anywhere tcp > dpt:ftp reject-with icmp-port-unreachable > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp > dpt:https state NEW,RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > LOG all -- anywhere anywhere LOG level > warning > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > > > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" > in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > - To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <1045526303.18928.3.camel@linux>]
* Re: AW: IP_TABLES Q [not found] ` <1045526303.18928.3.camel@linux> @ 2003-02-18 0:31 ` Andrew B. Cramer 2003-02-18 1:04 ` Glynn Clements [not found] ` <1045530465.18928.9.camel@linux> 0 siblings, 2 replies; 6+ messages in thread From: Andrew B. Cramer @ 2003-02-18 0:31 UTC (permalink / raw) To: Bart E. Hawley Sr.; +Cc: linux-admin Hi Bart, In the interim, I did add for ports 20 & 21. same thing. Even Windoz FTP gives the same message. Here is a segment from my new script. Thanks - Andrew <snip> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Try this for FTP (ABC) - Did not work $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT # Reject telnet sessions from outside (Changed from 21 to 23)(ABC) $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23 -j REJECT </snip> On 17 Feb 2003 at 17:58, Bart E. Hawley Sr. wrote: > On Mon, 2003-02-17 at 11:33, Andrew B. Cramer wrote: > > > > Hi Arend, > > Thanks for responding. I was right in the change from 21 to 23, but > > that had no effect for FTP. In the past, I used Linux-2.2.x with > > IP_CHAINS. With that I had used the ip_masq_ftp module. That worked. > > I guess what I'm looking for is what use for FTP rules and where to > > put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP > > responds, "425 Can't build data connection: No route to host." line > > 2, "! Retrieve of folder listing failed(0)". Again this used to work > > with ipfwadm and then ipchains. It looks like it is not being > > handled. > > > > > >From what I see in your error message you need to also open the FTP data > port - port 20 - to get the information through or try setting the > client to passive mode. > > Bart > > Thanks - Andrew > > > > On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote: > > > > > Hi! > > > your script closed port 21 (ftp) where you meant to close telnet (23 is > > > indeed the right port). > > > However, I'd recommend you'll use a edicated proxy-server for http and > > > ftp because your firewall-script allows any connetion from anywhere to > > > your network. > > > Hope it helps, > > > Arend Wellmann > > > > > > -----Ursprüngliche Nachricht----- > > > Von: linux-admin-owner@vger.kernel.org > > > [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew B. > > > Cramer > > > Gesendet: Montag, 17. Februar 2003 14:08 > > > An: linux-admin > > > Betreff: IP_TABLES Q > > > > > > > > > > > > Hi All, > > > Please look at this and explain where I make the mistake that > > > none > > > of the workstations Masq'd are able to establish a FTP session. > > > Telnet, email, and web browsing work just fine. > > > > > > TIA - Andrew Cramer > > > > > > <ip_tables commands> > > > > > > #!/bin/sh > > > # > > > # rc.firewall-2.4 > > > FWVER=0.70 > > > # > > > # Thanks to David Ranch's IPMasq HowTo > > > # Initial SIMPLE IP Masquerade test for 2.4.x kernels > > > # using IPTABLES. > > > # > > > > > > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" > > > > > > IPTABLES=/usr/sbin/iptables > > > DEPMOD=/sbin/depmod > > > INSMOD=/sbin/insmod > > > > > > EXTIP="xxx.yyy.zzz.1" # your external IP here. > > > EXTIF="ppp0" > > > INTIF="eth0" > > > > > > echo " External Interface: $EXTIF" > > > echo " Internal Interface: $INTIF" > > > echo -en " loading modules: " > > > echo " - Verifying that all kernel modules are ok" > > > $DEPMOD -a > > > > > > echo "---------------------------------------------------------------- > > > ------" > > > echo -en "ip_tables, " > > > > > > $INSMOD ip_tables > > > > > > echo -en "ip_conntrack, " > > > $INSMOD ip_conntrack > > > > > > echo -en "iptable_nat, " > > > $INSMOD iptable_nat > > > > > > echo "---------------------------------------------------------------- > > > ------" > > > > > > echo ". Done loading modules." > > > > > > echo " enabling forwarding.." > > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > > > > echo " clearing any existing rules and setting default policy.." > > > $IPTABLES -P INPUT ACCEPT > > > $IPTABLES -F INPUT > > > $IPTABLES -P OUTPUT ACCEPT > > > $IPTABLES -F OUTPUT > > > $IPTABLES -P FORWARD ACCEPT > > > $IPTABLES -F FORWARD > > > $IPTABLES -t nat -F > > > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT > > > > > > # Reject telnet sessions from outside (Shouldn't it be 23 ?!?) > > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -j REJECT > > > > > > # Forward HTTPS requests (change the port number to suit yourself) > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state > > > \ > > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > > > > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \ > > > -j DNAT --to 192.168.1.1:443 > > > > > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \ > > > -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1 > > > > > > echo " FWD: Allow all connections OUT and only existing and related > > > ones IN" > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state > > > ESTABLISHED,RELATED -j ACCEPT > > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > > > $IPTABLES -A FORWARD -j LOG > > > > > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > > > > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n" > > > > > > <ip_tables Listing> > > > root@home:/etc/rc.d# iptables -L > > > Chain INPUT (policy ACCEPT) > > > target prot opt source destination > > > ACCEPT tcp -- anywhere anywhere tcp > > > dpt:smtp > > > ACCEPT tcp -- anywhere anywhere tcp > > > dpt:pop3 > > > REJECT tcp -- anywhere anywhere tcp > > > dpt:ftp reject-with icmp-port-unreachable > > > > > > Chain FORWARD (policy ACCEPT) > > > target prot opt source destination > > > ACCEPT tcp -- anywhere anywhere tcp > > > dpt:https state NEW,RELATED,ESTABLISHED > > > ACCEPT all -- anywhere anywhere state > > > RELATED,ESTABLISHED > > > ACCEPT all -- anywhere anywhere > > > LOG all -- anywhere anywhere LOG level > > > warning > > > > > > Chain OUTPUT (policy ACCEPT) > > > target prot opt source destination > > > > > > > > > > > > > > > - > > > To unsubscribe from this list: send the line "unsubscribe linux-admin" > > > in > > > the body of a message to majordomo@vger.kernel.org > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > > > > > > - > > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > - To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: AW: IP_TABLES Q 2003-02-18 0:31 ` Andrew B. Cramer @ 2003-02-18 1:04 ` Glynn Clements 2003-02-18 1:30 ` AW: IP_TABLES Q - Solved Andrew B. Cramer [not found] ` <1045530465.18928.9.camel@linux> 1 sibling, 1 reply; 6+ messages in thread From: Glynn Clements @ 2003-02-18 1:04 UTC (permalink / raw) To: andrew.cramer; +Cc: linux-admin Andrew B. Cramer wrote: > In the interim, I did add for ports 20 & 21. same thing. Even Windoz > FTP gives the same message. Here is a segment from my new script. > > Thanks - Andrew > > <snip> > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT > > # Try this for FTP (ABC) - Did not work > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT > > # Reject telnet sessions from outside (Changed from 21 to 23)(ABC) > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23 -j REJECT </snip> I believe that you need to use the ip_conntrack_ftp module to track the ports which are used. Note: I don't know the specifics of how to use it, but I'm pretty sure that this is the right module. The traditional mechanism for establishing the data channel is to have the client create a listening socket on a randomly-numbered port. The client sends the IP address and port number to the server, which then makes an inbound (server -> client) connection. To allow this through the firewall, you have to either: 1. Allow all inbound TCP connections to unprivileged ports (>1024). While you could filter with "--source-port 20", this doesn't really buy you anything; hack attempts often use port 20 to get through firewalls which are [mis]configured in this way. 2. Have some code which monitors the traffic sent over the control channel, looking for the PORT commands (this is what ip_masq_ftp and ip_conntrack_ftp do), and enables inbound TCP connections on those ports. However, if at all practical, you should forego the traditional ("active") mode of FTP in favour of passive mode. Here, all connections are outbound (client -> server). For the standard "ftp" program, use the "passive" command (either interactively, or via ~/.netrc); GUI FTP clients typically have a "passive mode" check-box; Web browsers normally use passive mode automatically. Nowadays, the main reason for supporting "active" FTP is if you have no choice, e.g. you are answerable to people who simply demand it. -- Glynn Clements <glynn.clements@virgin.net> ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: AW: IP_TABLES Q - Solved 2003-02-18 1:04 ` Glynn Clements @ 2003-02-18 1:30 ` Andrew B. Cramer 0 siblings, 0 replies; 6+ messages in thread From: Andrew B. Cramer @ 2003-02-18 1:30 UTC (permalink / raw) To: Glynn Clements; +Cc: linux-admin Thanks Glynn & Bart! I did switch to 'passive' ftp and the workstations behave correctly. I will still try ip_conntrace_ftp when I get a chance. The bottom line, it's working. Kinds Regards - Andrew Cramer On 18 Feb 2003 at 1:04, Glynn Clements wrote: > > Andrew B. Cramer wrote: > > > In the interim, I did add for ports 20 & 21. same thing. Even Windoz > > FTP gives the same message. Here is a segment from my new script. > > > > Thanks - Andrew > > > > <snip> > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT > > > > # Try this for FTP (ABC) - Did not work > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT > > > > # Reject telnet sessions from outside (Changed from 21 to 23)(ABC) > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23 -j REJECT </snip> > > I believe that you need to use the ip_conntrack_ftp module to track > the ports which are used. Note: I don't know the specifics of how to > use it, but I'm pretty sure that this is the right module. > > The traditional mechanism for establishing the data channel is to have > the client create a listening socket on a randomly-numbered port. The > client sends the IP address and port number to the server, which then > makes an inbound (server -> client) connection. > > To allow this through the firewall, you have to either: > > 1. Allow all inbound TCP connections to unprivileged ports (>1024). > While you could filter with "--source-port 20", this doesn't really > buy you anything; hack attempts often use port 20 to get through > firewalls which are [mis]configured in this way. > > 2. Have some code which monitors the traffic sent over the control > channel, looking for the PORT commands (this is what ip_masq_ftp and > ip_conntrack_ftp do), and enables inbound TCP connections on those > ports. > > However, if at all practical, you should forego the traditional > ("active") mode of FTP in favour of passive mode. Here, all > connections are outbound (client -> server). > > For the standard "ftp" program, use the "passive" command (either > interactively, or via ~/.netrc); GUI FTP clients typically have a > "passive mode" check-box; Web browsers normally use passive mode > automatically. > > Nowadays, the main reason for supporting "active" FTP is if you have > no choice, e.g. you are answerable to people who simply demand it. > > -- > Glynn Clements <glynn.clements@virgin.net> > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <1045530465.18928.9.camel@linux>]
* Re: AW: IP_TABLES Q [not found] ` <1045530465.18928.9.camel@linux> @ 2003-02-18 1:18 ` Andrew B. Cramer 0 siblings, 0 replies; 6+ messages in thread From: Andrew B. Cramer @ 2003-02-18 1:18 UTC (permalink / raw) To: Bart E. Hawley Sr.; +Cc: linux-admin Hi Bart, Still no good. I'll keep trying, and accept any ideas. - Andrew <snip> $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Try this for FTP (ABC) - Did not work $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT $IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 20 -j ACCEPT $IPTABLES -A INPUT -p UDP -s 0/0 --destination-port 21 -j ACCEPT </snip> On 17 Feb 2003 at 19:07, Bart E. Hawley Sr. wrote: > On Mon, 2003-02-17 at 18:31, Andrew B. Cramer wrote: > > > > Hi Bart, > > In the interim, I did add for ports 20 & 21. same thing. Even Windoz > > FTP gives the same message. Here is a segment from my new script. > > > > Thanks - Andrew > > > > <snip> > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT > > > Hi Andrew, > > Sorry I didn't read down to the protocols so I missed that earlier. You > need to set it for both protocols - TCP and UDP > The following is from IANA port assignments. > > ftp-data 20/tcp File Transfer [Default Data] > ftp-data 20/udp File Transfer [Default Data] > ftp 21/tcp File Transfer [Control] > ftp 21/udp File Transfer [Control] > > Bart > > > # Try this for FTP (ABC) - Did not work > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT > > > > # Reject telnet sessions from outside (Changed from 21 to 23)(ABC) > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23 -j REJECT > > </snip> > > > > On 17 Feb 2003 at 17:58, Bart E. Hawley Sr. wrote: > > > > > On Mon, 2003-02-17 at 11:33, Andrew B. Cramer wrote: > > > > > > > > Hi Arend, > > > > Thanks for responding. I was right in the change from 21 to 23, but > > > > that had no effect for FTP. In the past, I used Linux-2.2.x with > > > > IP_CHAINS. With that I had used the ip_masq_ftp module. That worked. > > > > I guess what I'm looking for is what use for FTP rules and where to > > > > put them. The symptom is the client, Win2K with WS_FTP. The WS_FTP > > > > responds, "425 Can't build data connection: No route to host." line > > > > 2, "! Retrieve of folder listing failed(0)". Again this used to work > > > > with ipfwadm and then ipchains. It looks like it is not being > > > > handled. > > > > > > > > > > > > > >From what I see in your error message you need to also open the FTP data > > > port - port 20 - to get the information through or try setting the > > > client to passive mode. > > > > > > Bart > > > > Thanks - Andrew > > > > > > > > On 17 Feb 2003 at 15:49, Dr. Arend Wellmann wrote: > > > > > > > > > Hi! > > > > > your script closed port 21 (ftp) where you meant to close telnet (23 is > > > > > indeed the right port). > > > > > However, I'd recommend you'll use a edicated proxy-server for http and > > > > > ftp because your firewall-script allows any connetion from anywhere to > > > > > your network. > > > > > Hope it helps, > > > > > Arend Wellmann > > > > > > > > > > -----Ursprüngliche Nachricht----- > > > > > Von: linux-admin-owner@vger.kernel.org > > > > > [mailto:linux-admin-owner@vger.kernel.org] Im Auftrag von Andrew B. > > > > > Cramer > > > > > Gesendet: Montag, 17. Februar 2003 14:08 > > > > > An: linux-admin > > > > > Betreff: IP_TABLES Q > > > > > > > > > > > > > > > > > > > > Hi All, > > > > > Please look at this and explain where I make the mistake that > > > > > none > > > > > of the workstations Masq'd are able to establish a FTP session. > > > > > Telnet, email, and web browsing work just fine. > > > > > > > > > > TIA - Andrew Cramer > > > > > > > > > > <ip_tables commands> > > > > > > > > > > #!/bin/sh > > > > > # > > > > > # rc.firewall-2.4 > > > > > FWVER=0.70 > > > > > # > > > > > # Thanks to David Ranch's IPMasq HowTo > > > > > # Initial SIMPLE IP Masquerade test for 2.4.x kernels > > > > > # using IPTABLES. > > > > > # > > > > > > > > > > echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" > > > > > > > > > > IPTABLES=/usr/sbin/iptables > > > > > DEPMOD=/sbin/depmod > > > > > INSMOD=/sbin/insmod > > > > > > > > > > EXTIP="xxx.yyy.zzz.1" # your external IP here. > > > > > EXTIF="ppp0" > > > > > INTIF="eth0" > > > > > > > > > > echo " External Interface: $EXTIF" > > > > > echo " Internal Interface: $INTIF" > > > > > echo -en " loading modules: " > > > > > echo " - Verifying that all kernel modules are ok" > > > > > $DEPMOD -a > > > > > > > > > > echo "---------------------------------------------------------------- > > > > > ------" > > > > > echo -en "ip_tables, " > > > > > > > > > > $INSMOD ip_tables > > > > > > > > > > echo -en "ip_conntrack, " > > > > > $INSMOD ip_conntrack > > > > > > > > > > echo -en "iptable_nat, " > > > > > $INSMOD iptable_nat > > > > > > > > > > echo "---------------------------------------------------------------- > > > > > ------" > > > > > > > > > > echo ". Done loading modules." > > > > > > > > > > echo " enabling forwarding.." > > > > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > > > > > > > > echo " clearing any existing rules and setting default policy.." > > > > > $IPTABLES -P INPUT ACCEPT > > > > > $IPTABLES -F INPUT > > > > > $IPTABLES -P OUTPUT ACCEPT > > > > > $IPTABLES -F OUTPUT > > > > > $IPTABLES -P FORWARD ACCEPT > > > > > $IPTABLES -F FORWARD > > > > > $IPTABLES -t nat -F > > > > > > > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT > > > > > > > > > > # Reject telnet sessions from outside (Shouldn't it be 23 ?!?) > > > > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -j REJECT > > > > > > > > > > # Forward HTTPS requests (change the port number to suit yourself) > > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state > > > > > \ > > > > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > > > > > > > > > $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \ > > > > > -j DNAT --to 192.168.1.1:443 > > > > > > > > > > $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \ > > > > > -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1 > > > > > > > > > > echo " FWD: Allow all connections OUT and only existing and related > > > > > ones IN" > > > > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state > > > > > ESTABLISHED,RELATED -j ACCEPT > > > > > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > > > > > $IPTABLES -A FORWARD -j LOG > > > > > > > > > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > > > > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > > > > > > > > > echo -e "\nrc.firewall-2.4 v$FWVER done.\n" > > > > > > > > > > <ip_tables Listing> > > > > > root@home:/etc/rc.d# iptables -L > > > > > Chain INPUT (policy ACCEPT) > > > > > target prot opt source destination > > > > > ACCEPT tcp -- anywhere anywhere tcp > > > > > dpt:smtp > > > > > ACCEPT tcp -- anywhere anywhere tcp > > > > > dpt:pop3 > > > > > REJECT tcp -- anywhere anywhere tcp > > > > > dpt:ftp reject-with icmp-port-unreachable > > > > > > > > > > Chain FORWARD (policy ACCEPT) > > > > > target prot opt source destination > > > > > ACCEPT tcp -- anywhere anywhere tcp > > > > > dpt:https state NEW,RELATED,ESTABLISHED > > > > > ACCEPT all -- anywhere anywhere state > > > > > RELATED,ESTABLISHED > > > > > ACCEPT all -- anywhere anywhere > > > > > LOG all -- anywhere anywhere LOG level > > > > > warning > > > > > > > > > > Chain OUTPUT (policy ACCEPT) > > > > > target prot opt source destination > > > > > > > > > > > > > > > > > > > > > > > > > - > > > > > To unsubscribe from this list: send the line "unsubscribe linux-admin" > > > > > in > > > > > the body of a message to majordomo@vger.kernel.org > > > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > > > > > > > > > > > > > > > > - > > > > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > > > > the body of a message to majordomo@vger.kernel.org > > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > > > > > > > > > > > > > - > > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > > the body of a message to majordomo@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > - To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-02-18 1:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-02-17 13:07 IP_TABLES Q Andrew B. Cramer
[not found] ` <000001c2d693$d57d2400$230110ac@berlin.kade.de>
2003-02-17 17:33 ` AW: " Andrew B. Cramer
[not found] ` <1045526303.18928.3.camel@linux>
2003-02-18 0:31 ` Andrew B. Cramer
2003-02-18 1:04 ` Glynn Clements
2003-02-18 1:30 ` AW: IP_TABLES Q - Solved Andrew B. Cramer
[not found] ` <1045530465.18928.9.camel@linux>
2003-02-18 1:18 ` AW: IP_TABLES Q Andrew B. Cramer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).