Re: iptables and ftp

Re: iptables and ftp

[Willi Dyck]

On Sat, Feb 22, 2003 at 10:20:11PM +0200, Roman Gavrilov wrote:
> Hello,
> 
> My question is about ftp and ftp data connections.
> I know this subject has been heavily discussed but still ...
> 
> I set up my firewall to allow connections to 21 and 20 ports.
>  I also allowed connections to high ports from outside from port 20.
> and of course I enabled all established and related connections.

Have you loaded 'ip_nat_ftp' and 'ip_conntrack_ftp' ?

Regards,

Willi

-- 
the three great virtues of a programmer:
laziness, impatience and hubris.
        Lary Wall

How to do port forwarding dynamically

[Dhirendra Pal Singh]

>

Hi All,
I am trying to set up a web server inside my home lan. Firewall is 
running on the gatewaty.
Below is the script for the firewall... (its very simple.. I downloaded 
it from the net)

*****************************************
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.70

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"


IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

EXTIF="eth0"
INTIF1="eth1"
INTIF2="eth2"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface1:  $INTIF1"
echo "   Internal Interface2:  $INTIF2"

echo -en "   loading modules: "
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a
echo 
"----------------------------------------------------------------------"

echo -en "ip_tables, "
$INSMOD ip_tables

echo -en "ip_conntrack, "
$INSMOD ip_conntrack

echo -en "ip_conntrack_ftp, "
$INSMOD ip_conntrack_ftp

echo -en "ip_conntrack_irc, "
$INSMOD ip_conntrack_irc

echo -en "iptable_nat, "
$INSMOD iptable_nat

echo -en "ip_nat_ftp, "
$INSMOD ip_nat_ftp

echo ".  Done loading modules."

echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related 
ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"

**********************************************************************************************
I have stripped off the comments for simplicity. Now when I want to open 
a port and forward it I am trying to execute the following 2 commands...

$iptables -A INPUT -j ACCEPT -p tcp --syn --destination-port 5000
$iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5000 -j DNAT 
--to-destination 192.168.1.30:80

Shouldnt this forward port 5000 to the internal box on port 80. But this 
is not working. Can someone please help me to correct this script.
Actually I want just 2 lines which I can run for any port and can open 
and forward it to anymachine of my choice...

Any quick help would be very much appreciated...
Thanks and advance..
Dp

Re: How to do port forwarding dynamically

[Joel Newkirk]

On Friday 21 February 2003 07:59 pm, Dhirendra Pal Singh wrote:
> Hi All,
> I am trying to set up a web server inside my home lan. Firewall is
> running on the gatewaty.
> Below is the script for the firewall... (its very simple.. I
> downloaded it from the net)

> echo "   enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward

Best not to do this until you've already created the rules, and the DROP 
policy.

> echo "   enabling DynamicAddr.."
> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> echo "   clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT

This is NOT a good idea.  This allows anybody on the internet to have 
unrestricted access to all ports on your firewall/gateway.  (unless you 
DNAT them to another machine, or have a rule that explicitly DROPs 
something)  You want a DROP policy instead, and then ACCEPT only traffic 
that needs to access the gateway machine itself.  A simple, more-secure 
(but still not tight) approach is to have a DROP policy on INPUT, then 
use:

$IPTABLES -A INPUT -i $INTIF1 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF2 -j ACCEPT

which allows all machines on the local networks unrestricted access to 
the gateway itself (this is a separate matter from forwarding!) but 
ignores connection attempts from the outside world.  Even better would 
be to ACCEPT ONLY the absolute bare minimum.  Under normal operation 
nobody (internet _OR_ LAN) should need access to the firewall box 
itself.  If you do all your work on the machine sitting in front of it 
with it's own keyboard and monitor, and it's not offering other services 
then you can probably work just fine with DROP policy for INPUT (and 
even OUTPUT).  If there are services that the gateway offers to the LAN 
(mailserver, DNS, filesharing, whatever) then you should have ACCEPT 
rules for the necessary ports on INPUT chain, and limit them as above to 
ONLY the LAN, never the internet.  


>************************ I have stripped off the comments for
> simplicity. Now when I want to open a port and forward it I am trying
> to execute the following 2 commands...
>
> $iptables -A INPUT -j ACCEPT -p tcp --syn --destination-port 5000
> $iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5000 -j DNAT
> --to-destination 192.168.1.30:80
>
> Shouldnt this forward port 5000 to the internal box on port 80. But

Nope.  This DNATs port 5000 incoming to port 80 on the internal box, and 
ACCEPTs syn to port 5000 on the gateway.  You want the PREROUTING rule 
as is, (but "-i $EXTIF" would fit the script style better...) but the 
second rule should be:

$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT

Differences:  This is FORWARD chain, which is where packets to be 
forwarded will go instead of INPUT.  The destination port is now 80, not 
5000, since the DNAT rule already changed the DPORT when it changed the 
destIP.

> this is not working. Can someone please help me to correct this
> script. Actually I want just 2 lines which I can run for any port and
> can open and forward it to anymachine of my choice...
>
> Any quick help would be very much appreciated...
> Thanks and advance..
> Dp

INPUT is for connections directly to the firewall machine, or responses 
to something initiated by the machine itself.  OUTPUT is for connections 
initiated by the firewall machine, or responses to something that came 
in INPUT.  FORWARD is for connections that are only passing through.

j

iptables and ftp

[Roman Gavrilov]

[-- Attachment #1: Type: text/plain, Size: 1172 bytes --]

Hello,

My question is about ftp and ftp data connections.
I know this subject has been heavily discussed but still ...

I set up my firewall to allow connections to 21 and 20 ports.
 I also allowed connections to high ports from outside from port 20.
and of course I enabled all established and related connections.


But when ever I connect to my ftp server and issuing "ls" command it stacks.
In the firewall I see :
Feb 22 04:07:46 hostname IN=eth0 OUT= MAC=00:e0:18:d3:1b:4b:00:90:5f:0d:64:38:08:00  SRC=source ip DST=my server ip LEN=60 TOS=00 PREC=0x00 TTL=53 ID=41512 DF PROTO=TCP SPT=37070 DPT=21773 SEQ=3256137382 ACK=0 WINDOW=5648 SYN URGP=0

SPT=37070 DPT=21773 looks strange to me.

It seems that ftp data session is trying to establish connection from a high port to a high port.
SYN means that it trying to establish connection and of course it is dropped by the firewall.
There is no sense in allowing anything from outside to servers high ports.

I think that the client should issue a connect request from a high port to servers 20 port.
And then it should match the established connection.

What can be the problem ?

Thanks


[-- Attachment #2: Type: text/html, Size: 2671 bytes --]

Re: How to do port forwarding dynamically

[Dhirendra Pal Singh]

Thanks for your detailed help J.
I will try all what you have said and will get back to you later... As I 
do have some more questions but let me try them myself before asking 
again...

Thanks once again..
Dp


Joel Newkirk wrote:

>On Friday 21 February 2003 07:59 pm, Dhirendra Pal Singh wrote:
>  
>
>>Hi All,
>>I am trying to set up a web server inside my home lan. Firewall is
>>running on the gatewaty.
>>Below is the script for the firewall... (its very simple.. I
>>downloaded it from the net)
>>    
>>
>
>  
>
>>echo "   enabling forwarding.."
>>echo "1" > /proc/sys/net/ipv4/ip_forward
>>    
>>
>
>Best not to do this until you've already created the rules, and the DROP 
>policy.
>
>  
>
>>echo "   enabling DynamicAddr.."
>>echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>>
>>echo "   clearing any existing rules and setting default policy.."
>>$IPTABLES -P INPUT ACCEPT
>>    
>>
>
>This is NOT a good idea.  This allows anybody on the internet to have 
>unrestricted access to all ports on your firewall/gateway.  (unless you 
>DNAT them to another machine, or have a rule that explicitly DROPs 
>something)  You want a DROP policy instead, and then ACCEPT only traffic 
>that needs to access the gateway machine itself.  A simple, more-secure 
>(but still not tight) approach is to have a DROP policy on INPUT, then 
>use:
>
>$IPTABLES -A INPUT -i $INTIF1 -j ACCEPT
>$IPTABLES -A INPUT -i $INTIF2 -j ACCEPT
>
>which allows all machines on the local networks unrestricted access to 
>the gateway itself (this is a separate matter from forwarding!) but 
>ignores connection attempts from the outside world.  Even better would 
>be to ACCEPT ONLY the absolute bare minimum.  Under normal operation 
>nobody (internet _OR_ LAN) should need access to the firewall box 
>itself.  If you do all your work on the machine sitting in front of it 
>with it's own keyboard and monitor, and it's not offering other services 
>then you can probably work just fine with DROP policy for INPUT (and 
>even OUTPUT).  If there are services that the gateway offers to the LAN 
>(mailserver, DNS, filesharing, whatever) then you should have ACCEPT 
>rules for the necessary ports on INPUT chain, and limit them as above to 
>ONLY the LAN, never the internet.  
>
>
>  
>
>>************************ I have stripped off the comments for
>>simplicity. Now when I want to open a port and forward it I am trying
>>to execute the following 2 commands...
>>
>>$iptables -A INPUT -j ACCEPT -p tcp --syn --destination-port 5000
>>$iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 5000 -j DNAT
>>--to-destination 192.168.1.30:80
>>
>>Shouldnt this forward port 5000 to the internal box on port 80. But
>>    
>>
>
>Nope.  This DNATs port 5000 incoming to port 80 on the internal box, and 
>ACCEPTs syn to port 5000 on the gateway.  You want the PREROUTING rule 
>as is, (but "-i $EXTIF" would fit the script style better...) but the 
>second rule should be:
>
>$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -j ACCEPT
>
>Differences:  This is FORWARD chain, which is where packets to be 
>forwarded will go instead of INPUT.  The destination port is now 80, not 
>5000, since the DNAT rule already changed the DPORT when it changed the 
>destIP.
>
>  
>
>>this is not working. Can someone please help me to correct this
>>script. Actually I want just 2 lines which I can run for any port and
>>can open and forward it to anymachine of my choice...
>>
>>Any quick help would be very much appreciated...
>>Thanks and advance..
>>Dp
>>    
>>
>
>INPUT is for connections directly to the firewall machine, or responses 
>to something initiated by the machine itself.  OUTPUT is for connections 
>initiated by the firewall machine, or responses to something that came 
>in INPUT.  FORWARD is for connections that are only passing through.
>
>j
>
>
>
>  
>