From: Richard <netfilter@ghz.fr>
To: netfilter@lists.netfilter.org
Subject: Re: IPtables settings to access a backup FTP
Date: Sun, 19 Aug 2007 00:36:09 +0200 [thread overview]
Message-ID: <46C77459.7000000@ghz.fr> (raw)
In-Reply-To: <46C756B6.4000003@rtij.nl>
Martijn Lievaart a écrit :
> Richard wrote:
>
> [ Please don't toppost. Thanks ]
>
>> Hi I've got ip_conntrack running,
>
> I was talking about ip_conntrack_ftp, not ip_conntrack. You need both.
> The difference is between ftp working and not working at the first LS
> command.
>
>>
>> My server hosts FTP accounts and I also need outgoing ftp ...
>
> Clear, so you need the input rule on port 21 as well.
>
>>
>> No problems accessing the ftp hosted on this server, but can't do a
>> CWD (ls) from this server to another external ftp server unless the
>> firewall is disactivated.
>
> No problems? Impossible with the rules you posted.
>
>>
>> I guess you are going to say most of my settings are useless but here
>> goes my current settings :
>
> Thanks, but that is virtually unreadable. Post the output of
> iptables-save instead.
>
> HTH,
> M4
>
Thankyou ! That fixed my problem ! I did a lsmod and it was not there so
I did a mprobe ip_conntrack_ftp and then added ip_conntrack_ftp to
/etc/modules
Now my backup system works well !
Now for my iptable settings, here is my file :
------
#The NAT portion of the ruleset. Used for Network Address Transalation.
#Usually not needed on a typical web server, but it's there if you need it.
*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633]
COMMIT
#The Mangle portion of the ruleset. Here is where unwanted packet types
get dropped.
#This helps in making port scans against your server a bit more time
consuming and difficult, but not impossible.
*mangle
:PREROUTING ACCEPT [444:43563]
:INPUT ACCEPT [444:43563]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [402:144198]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
#The FILTER section of the ruleset is where we initially drop all
packets and then selectively open certain ports.
#We will also enable logging of all dropped requests.
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOG_DROP - [0:0]
:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]
#test
-A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 21 -j ACCEPT
#First, we cover the INPUT rules, or the rules for incoming requests.
#Note how at the end we log any incoming packets that are not accepted.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2022 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j LOG_ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
#Passive FTP connections
-A INPUT -p tcp -m tcp --dport 32876 -j ACCEPT
-A INPUT -p udp -m udp --dport 32876 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
#-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG_DROP
#Next, we cover the OUTPUT rules, or the rules for all outgoing traffic.
#Note how at the end we log any outbound packets that are not accepted.
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2022 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
#uncomment the next line if you are running Spamassassin on your server
#-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG_DROP
#Here we have 2 sets of logging rules. One for dropped packets to log
all dropped requests and one for accepted packets, should we wish to log
any accepted requesets.
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : " --log-tcp-options
--log-ip-options
-A LOG_DROP -j DROP
-A LOG_ACCEPT -j LOG --log-prefix "[IPTABLES ACCEPT] : "
--log-tcp-options --log-ip-options
-A LOG_ACCEPT -j ACCEPT
#And finally, a rule to deal with ICMP requests. We drop all ping
requests except from our own server.
# Make sure you replace 1.2.3.4 with the IP address of your server.
#-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
#-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
#-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
#-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
-A icmp_packets -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG
--log-prefix "PING-DROP: "
COMMIT
-----
So as far as I understand, I must remove the two following lines :
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
Thanks again !
Richard
prev parent reply other threads:[~2007-08-18 22:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-18 19:08 IPtables settings to access a backup FTP Richard
2007-08-18 20:16 ` Martijn Lievaart
2007-08-18 20:25 ` Richard
2007-08-18 20:29 ` Martijn Lievaart
2007-08-18 22:36 ` Richard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46C77459.7000000@ghz.fr \
--to=netfilter@ghz.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox