* Problem with APT-GET (ftp) and iptables
@ 2004-12-23 17:59 Noah Slater
2004-12-23 18:33 ` Jason Opperisano
0 siblings, 1 reply; 3+ messages in thread
From: Noah Slater @ 2004-12-23 17:59 UTC (permalink / raw)
To: netfilter
Hello,
I have a question regarding iptables and apt-get. I have a shell
script which is included at the bottom of this email which sets up
iptables for me. The only problem is that it is not managing to track
apt-get's ftp connections and prevents me from using it. I have
included a tail of /var/log/messages and the output when I try to run
apt-get.
It seems to be failing to let ftp connections back into my box.
I would be more than appreciative if someone could point out where I
am going wrong.
Thank you very much,
Noah Slater
----------------------------------------------------------------------
root@achilles:/home/noah $ apt-get update
Get:1 ftp://mirror.bytemark.co.uk stable/main Packages
Hit http://security.debian.org stable/updates/main Packages
Hit http://security.debian.org stable/updates/main Release
Hit http://security.debian.org stable/updates/contrib Packages
Hit http://security.debian.org stable/updates/contrib Release
30% [1 Packages 0]
----------------------------------------------------------------------
(At this point it indefinitely hangs...)
----------------------------------------------------------------------
tail /var/log/messages
----------------------------------------------------------------------
Dec 23 17:45:18 achilles kernel: conntrack_ftp: partial 227 2850985299+27
Dec 23 17:45:18 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=16672 DF PROTO=TCP
SPT=53792 DPT=1220 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:21 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=16673 DF PROTO=TCP
SPT=53792 DPT=1220 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:23 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=40928 DF PROTO=TCP
SPT=53782 DPT=1217 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:27 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=16674 DF PROTO=TCP
SPT=53792 DPT=1220 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:39 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=16675 DF PROTO=TCP
SPT=53792 DPT=1220 WINDOW=5840 RES=0x00 SYN URGP=0
Dec 23 17:45:47 achilles kernel: Dropped by default:IN=eth0 OUT=
MAC=fe:fd:50:44:58:07:fe:ff:00:00:00:01:08:00 SRC=212.13.210.26
DST=80.68.88.7 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=40929 DF PROTO=TCP
SPT=53782 DPT=1217 WINDOW=5840 RES=0x00 SYN URGP=0
----------------------------------------------------------------------
----------------------------------------------------------------------
FILE: iptables-setup
----------------------------------------------------------------------
#! /bin/sh
IPTABLES=/sbin/iptables
test -x $IPTABLES || exit 5
echo -n "Loading packet filters... "
# Flush old rules and chains
$IPTABLES --flush
$IPTABLES --delete-chain
# Set default deny policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Give free reign to loopback interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Rudimentary anti-IP-spoofing drops
$IPTABLES -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "Spoofed
source IP!"
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 80.68.88.7 -j LOG --log-prefix "Spoofed our IP!"
$IPTABLES -A INPUT -s 80.68.88.7 -j DROP
# Tell netfilter all TCP sessions begin with SYN
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "Stealth scan attempt?"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# INBOUND Policy
# Accept inbound packets that are part of previously accepted
sessions
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Accept inbound packets which initiate SSH sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW
# Log anything not accepted above
$IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default:"
# OUTBOUND Policy
# If it's part of an aproved connection, let it out
$IPTABLES -I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outbound packets which initiate HTTP sessions
$IPTABLES -A OUTPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
# Allow outbound packets which initiate FTP sessions
$IPTABLES -A OUTPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
# Allow outbound DNS queries to resolve IPs
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
# Log anything not accepted above
$IPTABLES -A OUTPUT -j LOG --log-prefix "Dropped by default:"
echo "Done!"
----------------------------------------------------------------------
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Problem with APT-GET (ftp) and iptables
2004-12-23 17:59 Problem with APT-GET (ftp) and iptables Noah Slater
@ 2004-12-23 18:33 ` Jason Opperisano
2004-12-23 19:25 ` Noah Slater
0 siblings, 1 reply; 3+ messages in thread
From: Jason Opperisano @ 2004-12-23 18:33 UTC (permalink / raw)
To: netfilter
On Thu, 2004-12-23 at 12:59, Noah Slater wrote:
> Hello,
>
> I have a question regarding iptables and apt-get. I have a shell
> script which is included at the bottom of this email which sets up
> iptables for me. The only problem is that it is not managing to track
> apt-get's ftp connections and prevents me from using it. I have
> included a tail of /var/log/messages and the output when I try to run
> apt-get.
>
> It seems to be failing to let ftp connections back into my box.
>
> I would be more than appreciative if someone could point out where I
> am going wrong.
it appears as though you don't have "ip_conntrack_ftp" loaded;
therefore, there's nothing to recognize that the SYN from the FTP server
is RELATED.
-j
--
"That's it! You people have stood in my way long enough. I'm going
to clown college!"
--The Simpsons
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Problem with APT-GET (ftp) and iptables
2004-12-23 18:33 ` Jason Opperisano
@ 2004-12-23 19:25 ` Noah Slater
0 siblings, 0 replies; 3+ messages in thread
From: Noah Slater @ 2004-12-23 19:25 UTC (permalink / raw)
To: netfilter
Hey,
Thanks for the reply.
This is too what I thought. I sent an email to my server admins who
responded thusly:
>> Hello,
>>
>>I am trying to setup my iptables to be quite strict, but to alow FTP
>>connections.
>>
>>I am trying to use modprobe with ip_conntrack_ftp for this but I keep
>> hitting a brick wall trying to get this to work.
>
>Hi Noah, our kernels do not support modules but do have the
>conntrack_ftp module built in so you don't need to worry about
>modprobing it to get it to work.
Also, when I start apt-get you see the following line in /var/log/messages/
Dec 23 17:45:18 achilles kernel: conntrack_ftp: partial 227 2850985299+27
So I naturaly assumed that conntrack_ftp was loaded.
Is "conntrack_ftp" the same as "ip_conntrack_ftp" and what does this
line in the log meen. I have googled for ages but not found anything.
Any further help would be amazing. Thank you.
Noah Slater
On Thu, 23 Dec 2004 13:33:08 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Thu, 2004-12-23 at 12:59, Noah Slater wrote:
> > Hello,
> >
> > I have a question regarding iptables and apt-get. I have a shell
> > script which is included at the bottom of this email which sets up
> > iptables for me. The only problem is that it is not managing to track
> > apt-get's ftp connections and prevents me from using it. I have
> > included a tail of /var/log/messages and the output when I try to run
> > apt-get.
> >
> > It seems to be failing to let ftp connections back into my box.
> >
> > I would be more than appreciative if someone could point out where I
> > am going wrong.
>
> it appears as though you don't have "ip_conntrack_ftp" loaded;
> therefore, there's nothing to recognize that the SYN from the FTP server
> is RELATED.
>
> -j
>
> --
> "That's it! You people have stood in my way long enough. I'm going
> to clown college!"
> --The Simpsons
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-12-23 19:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-23 17:59 Problem with APT-GET (ftp) and iptables Noah Slater
2004-12-23 18:33 ` Jason Opperisano
2004-12-23 19:25 ` Noah Slater
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox