* PASV rules opening up my high-ports - Whoops - sent the first one in HTML
@ 2003-05-26 20:00 jherschel
2003-05-26 21:33 ` accept local processes Volker Augustin
2003-05-26 22:52 ` PASV rules opening up my high-ports - Whoops - sent the first one in HTML Michael K
0 siblings, 2 replies; 4+ messages in thread
From: jherschel @ 2003-05-26 20:00 UTC (permalink / raw)
To: netfilter
Howdy,
Thanks in advance for reading this, if this is a common issue, I apologize –
but could you point me to a searchable archive so I don’t bug this list with
previously asked questions?
Anyways – here goes …
I’ve got rules for FTP inbound/outbound for both PORT and PASV connections.
I’m also running MySQL, which defaults to port 3306.
If FTP PASV rules are enabled, either as a server or client, it seems all my
high ports are open to be connected to. I’ve tried enforcing state, but I
end up either breaking the rule so that FTP doesn’t work, or I end up
opening the high-ports again.
Is there a way to fix this by developing a better rule? Or should I limit my
PASV ports to a range that does not overlap with other services?
Here are the related rules … (the PASV rules are commented out)
#
# General rules
#
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#################################################################
# Kernel configuration section and cleansing of the filter, nat,#
# and mangle tables #
#################################################################
echo -n $"clearing old rules from tables:"
$IPTABLES -F && \
$IPTABLES -t filter -F INPUT && \
$IPTABLES -t filter -F FORWARD && \
# commands to zero chain counters - needed on restart
$IPTABLES -X
$IPTABLES -t filter -Z && \
success $"clearing old rules from tables" || \
failure $"clearing old rules from tables"
echo
# set all filtering to DROP as default
echo -n $"setting default rules to DROP: "
# used to be IPTABLES -t filter -P ...
$IPTABLES -P INPUT DROP && \
$IPTABLES -P FORWARD DROP && \
$IPTABLES -P OUTPUT DROP && \
success $"setting default rules to DROP" || \
failure $"setting default rules to DROP"
echo
#
# FTP RULES
#
if [[ $FTP_client == 1 ]] ; then
echo -n $"adding FTP client rules: "
# Outgoing Request
$IPTABLES -A INPUT -i $IFACE -p tcp \
-s any/0 --sport 21 \
-d $LOCAL_IP --dport 1024: \
-m state --state ESTABLISHED \
-j ACCEPT &&\
$IPTABLES -A OUTPUT -o $IFACE -p tcp \
-s $LOCAL_IP --sport 1024: \
-d any/0 --dport 21 \
-m state --state NEW,ESTABLISHED \
-j ACCEPT &&\
# PORT FTP Connections
$IPTABLES -A INPUT -i $IFACE -p tcp \
-s any/0 --sport 20 \
-d $LOCAL_IP --dport 1024: \
-m state --state ESTABLISHED,RELATED \
-j ACCEPT &&\
$IPTABLES -A OUTPUT -o $IFACE -p tcp \
-s $LOCAL_IP --sport 1024: \
-d any/0 --dport 20 \
-m state --state ESTABLISHED \
-j ACCEPT &&\
# PASV FTP Connections
# $IPTABLES -A INPUT -i $IFACE -p tcp \
# -s any/0 --sport 1024: \
# -d $LOCAL_IP --dport 1024: \
# -m state --state ESTABLISHED \
# -j ACCEPT &&\
# $IPTABLES -A OUTPUT -o $IFACE -p tcp \
# -s $LOCAL_IP --sport 1024: \
# -d any/0 --dport 1024: \
# -m state --state ESTABLISHED,RELATED \
# -j ACCEPT &&\
success $"adding FTP client rules" || \
failure $"adding FTP client rules"
echo
fi
Thanks again,
James
^ permalink raw reply [flat|nested] 4+ messages in thread
* accept local processes ...
2003-05-26 20:00 PASV rules opening up my high-ports - Whoops - sent the first one in HTML jherschel
@ 2003-05-26 21:33 ` Volker Augustin
2003-05-27 15:32 ` Ray Leach
2003-05-26 22:52 ` PASV rules opening up my high-ports - Whoops - sent the first one in HTML Michael K
1 sibling, 1 reply; 4+ messages in thread
From: Volker Augustin @ 2003-05-26 21:33 UTC (permalink / raw)
To: netfilter
hello everybody, one question, why does
a rule like:
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
give this result?
ACCEPT all -- anywhere anywhere
im very confused....i want all local proccesses to have access to all
services, this is ok i think and needed for database access to localhost etc
and to all virtual network devices...(i think so)
can anybody explain me this behaviour? i read a lot about iptables, try
around for weeks, everything was fine but this.
thanks in advance
volker
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: PASV rules opening up my high-ports - Whoops - sent the first one in HTML
2003-05-26 20:00 PASV rules opening up my high-ports - Whoops - sent the first one in HTML jherschel
2003-05-26 21:33 ` accept local processes Volker Augustin
@ 2003-05-26 22:52 ` Michael K
1 sibling, 0 replies; 4+ messages in thread
From: Michael K @ 2003-05-26 22:52 UTC (permalink / raw)
To: netfilter
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of jherschel
> Sent: Monday, May 26, 2003 10:01 PM
> To: netfilter@lists.netfilter.org
> Subject: PASV rules opening up my high-ports - Whoops - sent
> the first one in HTML
>
>
> Howdy,
>
> Thanks in advance for reading this, if this is a common
> issue, I apologize - but could you point me to a searchable
> archive so I don't bug this list with previously asked questions?
>
> Anyways - here goes .
>
> I've got rules for FTP inbound/outbound for both PORT and
> PASV connections. I'm also running MySQL, which defaults to port 3306.
>
> If FTP PASV rules are enabled, either as a server or client,
> it seems all my high ports are open to be connected to. I've
> tried enforcing state, but I end up either breaking the rule
> so that FTP doesn't work, or I end up opening the high-ports again.
>
> Is there a way to fix this by developing a better rule? Or
> should I limit my PASV ports to a range that does not overlap
> with other services?
>
Something like this
iptables -A INPUT -m state --state ESTABISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABISHED,RELATED -j ACCEPT
#Passive and active ftp
modprobe ip_conntrack_ftp
#FW to FTP servers
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
#FTP Clients to FW
#iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/Klintan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: accept local processes ...
2003-05-26 21:33 ` accept local processes Volker Augustin
@ 2003-05-27 15:32 ` Ray Leach
0 siblings, 0 replies; 4+ messages in thread
From: Ray Leach @ 2003-05-27 15:32 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 690 bytes --]
On Mon, 2003-05-26 at 23:33, Volker Augustin wrote:
> hello everybody, one question, why does
> a rule like:
> iptables -A INPUT -s 127.0.0.1 -j ACCEPT
> give this result?
> ACCEPT all -- anywhere anywhere
>
What did you type to get this result?
iptables -nL INPUT
> im very confused....i want all local proccesses to have access to all
> services, this is ok i think and needed for database access to localhost etc
> and to all virtual network devices...(i think so)
> can anybody explain me this behaviour? i read a lot about iptables, try
> around for weeks, everything was fine but this.
>
> thanks in advance
> volker
>
>
>
>
>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-05-27 15:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-26 20:00 PASV rules opening up my high-ports - Whoops - sent the first one in HTML jherschel
2003-05-26 21:33 ` accept local processes Volker Augustin
2003-05-27 15:32 ` Ray Leach
2003-05-26 22:52 ` PASV rules opening up my high-ports - Whoops - sent the first one in HTML Michael K
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox