From: jose nuno neto <jose.neto@liber4e.com>
To: markee@bandwidthco.com
Cc: netfilter@lists.netfilter.org
Subject: RE: FTP SERVER ACCESS
Date: Sun, 26 Oct 2003 13:07:36 +0000 [thread overview]
Message-ID: <1067173655.3024.2.camel@janis> (raw)
In-Reply-To: <LFEHKEBEBHAFGJBMNKAOGEIPCDAA.markee@bandwidthco.com>
Hi,
this is the output of lsmod
ipt_mark 1216 1 (autoclean)
ipt_MARK 1632 13 (autoclean)
ipt_TOS 1856 6 (autoclean)
iptable_mangle 3040 1
ipt_multiport 1440 7
ip_conntrack_ftp 5088 0 (unused)
ip_conntrack_irc 4256 0 (unused)
ipt_REJECT 4000 2
ipt_LOG 4384 10
ipt_limit 1728 2
ipt_state 1344 20
ip_conntrack 26100 3 [ip_conntrack_ftp ip_conntrack_irc
ipt_state]
ipt_unclean 7872 2
iptable_filter 2528 1
ip_tables 13760 11 [ipt_mark ipt_MARK ipt_TOS
iptable_mangle ipt_multiport ipt_REJECT ipt_LOG ipt_limit ipt_state
ipt_unclean iptable_filter]
it shoes unused for ip_conntrack_ftp is this good?
On Sat, 2003-10-25 at 21:59, Mark E. Donaldson wrote:
> FTP is one of the most difficult protocols to get through a firewall. To
> begin with, are you using the netfilter ftp connection tracking module?
> $MODPROBE ip_conntrack_ftp
>
> Start with this. If you need more help let me know.
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Jose Nuno Neto
> Sent: Friday, October 24, 2003 7:15 AM
> To: netfilter@lists.netfilter.org
> Subject: FTP SERVER ACCESS
>
>
> Hi,
>
> I have a friewall script from
> http://www.rfxnetworks.com/apf.php
>
> I've followed intructions and have access to everythin i wnat except for
> FTP Server
> Can anyone point what ports/action must i do?
>
> thanx
>
> -------------------------------------------
>
> iptables -L
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> IN_UNCLEAN all -- anywhere anywhere unclean
> ACCEPT all -- anywhere anywhere
> TELNET_LOG tcp -- anywhere anywhere tcp dpt:telnet
> state NEW
> SSH_LOG tcp -- anywhere anywhere tcp dpt:ssh
> state NEW
> DROP all -- 1.0.0.0/8 anywhere
> DROP all -- 2.0.0.0/8 anywhere
> DROP all -- 5.0.0.0/8 anywhere
> DROP all -- 7.0.0.0/8 anywhere
> DROP all -- 23.0.0.0/8 anywhere
> DROP all -- 27.0.0.0/8 anywhere
> DROP all -- 31.0.0.0/8 anywhere
> DROP all -- 36.0.0.0/8 anywhere
> DROP all -- 37.0.0.0/8 anywhere
> DROP all -- 39.0.0.0/8 anywhere
> DROP all -- 41.0.0.0/8 anywhere
> DROP all -- 42.0.0.0/8 anywhere
> DROP all -- 58.0.0.0/8 anywhere
> DROP all -- 59.0.0.0/8 anywhere
> DROP all -- 60.0.0.0/8 anywhere
> DROP all -- 70.0.0.0/8 anywhere
> DROP all -- 71.0.0.0/8 anywhere
> DROP all -- 72.0.0.0/8 anywhere
> DROP all -- 73.0.0.0/8 anywhere
> DROP all -- 74.0.0.0/8 anywhere
> DROP all -- 75.0.0.0/8 anywhere
> DROP all -- 76.0.0.0/8 anywhere
> DROP all -- 77.0.0.0/8 anywhere
> DROP all -- 78.0.0.0/8 anywhere
> DROP all -- 78.0.0.0/8 anywhere
> DROP all -- 79.0.0.0/8 anywhere
> DROP all -- 83.0.0.0/8 anywhere
> DROP all -- 84.0.0.0/8 anywhere
> DROP all -- 85.0.0.0/8 anywhere
> DROP all -- 86.0.0.0/8 anywhere
> DROP all -- 87.0.0.0/8 anywhere
> DROP all -- 88.0.0.0/8 anywhere
> DROP all -- 89.0.0.0/8 anywhere
> DROP all -- 90.0.0.0/8 anywhere
> DROP all -- 91.0.0.0/8 anywhere
> DROP all -- 92.0.0.0/8 anywhere
> DROP all -- 93.0.0.0/8 anywhere
> DROP all -- 94.0.0.0/8 anywhere
> DROP all -- 95.0.0.0/8 anywhere
> DROP all -- 96.0.0.0/8 anywhere
> DROP all -- 97.0.0.0/8 anywhere
> DROP all -- 98.0.0.0/8 anywhere
> DROP all -- 99.0.0.0/8 anywhere
> DROP all -- 100.0.0.0/8 anywhere
> DROP all -- 101.0.0.0/8 anywhere
> DROP all -- 102.0.0.0/8 anywhere
> DROP all -- 103.0.0.0/8 anywhere
> DROP all -- 104.0.0.0/8 anywhere
> DROP all -- 105.0.0.0/8 anywhere
> DROP all -- 106.0.0.0/8 anywhere
> DROP all -- 107.0.0.0/8 anywhere
> DROP all -- 108.0.0.0/8 anywhere
> DROP all -- 109.0.0.0/8 anywhere
> DROP all -- 110.0.0.0/8 anywhere
> DROP all -- 111.0.0.0/8 anywhere
> DROP all -- 112.0.0.0/8 anywhere
> DROP all -- 113.0.0.0/8 anywhere
> DROP all -- 114.0.0.0/8 anywhere
> DROP all -- 115.0.0.0/8 anywhere
> DROP all -- 116.0.0.0/8 anywhere
> DROP all -- 117.0.0.0/8 anywhere
> DROP all -- 118.0.0.0/8 anywhere
> DROP all -- 119.0.0.0/8 anywhere
> DROP all -- 120.0.0.0/8 anywhere
> DROP all -- 121.0.0.0/8 anywhere
> DROP all -- 122.0.0.0/8 anywhere
> DROP all -- 123.0.0.0/8 anywhere
> DROP all -- 124.0.0.0/8 anywhere
> DROP all -- 124.0.0.0/8 anywhere
> DROP all -- 125.0.0.0/8 anywhere
> DROP all -- 126.0.0.0/8 anywhere
> DROP all -- 128.66.0.0/16 anywhere
> DROP all -- 172.16.0.0/12 anywhere
> DROP all -- 197.0.0.0/8 anywhere
> DROP all -- 221.0.0.0/8 anywhere
> DROP all -- 222.0.0.0/8 anywhere
> DROP all -- 223.0.0.0/8 anywhere
> DROP all -- 240.0.0.0/4 anywhere
> DROP tcp -- anywhere anywhere multiport dports
> smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274
> 44,31335
> DROP udp -- anywhere anywhere multiport dports
> smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274
> 44,31335
> DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
> DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
> LD all -- 255.255.255.255 anywhere
> LD all -- anywhere 0.0.0.0
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN/FIN,SYN
> DROP tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,RST/FIN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,ACK/FIN
> DROP tcp -- anywhere anywhere tcp
> flags:PSH,ACK/PSH
> DROP tcp -- anywhere anywhere tcp
> flags:ACK,URG/URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/FIN
> DROP all -- anywhere anywhere state INVALID
> DROP tcp -- anywhere anywhere tcp option=64
> DROP tcp -- anywhere anywhere tcp option=128
> FUDP udp -f anywhere anywhere
> PZ udp -- anywhere anywhere udp dpt:0
> PZ tcp -- anywhere anywhere tcp dpt:0
> REJECT tcp -- anywhere anywhere tcp dpt:auth
> reject-with icmp-port-unreachable
> REJECT udp -- anywhere anywhere udp dpt:auth
> reject-with icmp-port-unreachable
> DROP udp -- anywhere anywhere multiport dports
> netbios-ns,netbios-dgm
> DROP udp -- anywhere 255.255.255.255
> ACCEPT udp -- anywhere anywhere udp spt:domain
> dpts:1023:65535
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp spt:ssh
> dpts:login:65535 state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp dpt:ssh
> state ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp
> spts:1023:65535 dpt:ftp state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:ftp-data
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:domain
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:ftp-data
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:domain
> ACCEPT icmp -- anywhere anywhere icmp
> destination-unreachable
> ACCEPT icmp -- anywhere anywhere icmp redirect
> ACCEPT icmp -- anywhere anywhere icmp
> time-exceeded
> ACCEPT icmp -- anywhere anywhere icmp echo-reply
> ACCEPT icmp -- anywhere anywhere icmp type 30
> ACCEPT icmp -- anywhere anywhere icmp
> echo-request
> DROP icmp -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp
> dpts:traceroute:33523
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:ftp-data
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp
> dpt:domain
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap
> ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:ftp-data
> ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp
> dpt:domain
> DROP tcp -- anywhere anywhere tcp
> flags:!SYN,RST,ACK/SYN state NEW
> UDP_POL udp -- anywhere anywhere
> TCP_POL tcp -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> OUT_UNCLEAN all -- anywhere anywhere unclean
> ACCEPT all -- anywhere anywhere
> DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
> DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
> LD all -- 255.255.255.255 anywhere
> LD all -- anywhere 0.0.0.0
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN,RST,PSH,ACK,URG/NONE
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,SYN/FIN,SYN
> DROP tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,RST/FIN,RST
> DROP tcp -- anywhere anywhere tcp
> flags:FIN,ACK/FIN
> DROP tcp -- anywhere anywhere tcp
> flags:PSH,ACK/PSH
> DROP tcp -- anywhere anywhere tcp
> flags:ACK,URG/URG
> FUDP udp -f anywhere anywhere
> PZ udp -- anywhere anywhere udp dpt:0
> PZ tcp -- anywhere anywhere tcp dpt:0
> ACCEPT udp -- anywhere anywhere udp
> spts:1023:65535 dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere udp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere tcp spt:ftp
> dpts:1023:65535 state RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT udp -- anywhere anywhere multiport dports
> ftp,ftp-data state RELATED,ESTABLISHED
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpt:ftp-data
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpts:1000:40000
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:ftp-data
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:domain
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpt:ftp-data
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https
> ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp
> dpts:1000:40000
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:ftp-data
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp
> ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp
> dpt:domain
> DROP tcp -- anywhere anywhere tcp
> flags:!SYN,RST,ACK/SYN state NEW
> DROP tcp -- anywhere anywhere tcp
> flags:!SYN,RST,ACK/SYN state NEW
> ACCEPT icmp -- anywhere anywhere
> DROP all -- anywhere anywhere
>
> Chain FUDP (2 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** UDP Frag **'
> DROP all -- anywhere anywhere
>
> Chain IN_UNCLEAN (1 references)
> target prot opt source destination
> UNCLEAN all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `** UNCLEAN ** '
>
> Chain LA (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning
> ACCEPT all -- anywhere anywhere
>
> Chain LD (4 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning
> DROP all -- anywhere anywhere
>
> Chain OUT_UNCLEAN (1 references)
> target prot opt source destination
> UNCLEAN all -- anywhere anywhere
> LOG all -- anywhere anywhere LOG level
> warning prefix `** UNCLEAN ** '
>
> Chain PZ (4 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** Port Zero **'
> DROP all -- anywhere anywhere
>
> Chain SANITY (0 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain SSH_LOG (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** SSH ** '
>
> Chain STATE (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state NEW
> DROP all -- anywhere anywhere
>
> Chain TCP_POL (1 references)
> target prot opt source destination
> LOG tcp -- anywhere anywhere limit: avg 1/sec
> burst 5 LOG level warning prefix `** TCP DROP ** '
> DROP all -- anywhere anywhere
>
> Chain TELNET_LOG (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
> warning prefix `** TELNET ** '
>
> Chain UDP_POL (1 references)
> target prot opt source destination
> LOG udp -- anywhere anywhere limit: avg 1/sec
> burst 5 LOG level warning prefix `** UDP DROP ** '
> DROP all -- anywhere anywhere
>
> Chain UNCLEAN (2 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
>
>
prev parent reply other threads:[~2003-10-26 13:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-24 14:14 FTP SERVER ACCESS José Nuno Neto
2003-10-25 20:59 ` Mark E. Donaldson
2003-10-26 13:07 ` jose nuno neto [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1067173655.3024.2.camel@janis \
--to=jose.neto@liber4e.com \
--cc=markee@bandwidthco.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox