Hi,
Maybe this will help. I think this version of the bastille script uses
iptables, not chains. Below is the output of iptables -L on my machine.
There are two interfaces one to internet eth0 and inside eth1.
>From inside the passive ftp clients work.
This was originally set up by the command bastille-netfilter start and I've
been playing around with config files.
I don't know iptables enough yet to tell you the manual command. Apologies
to list if this is all not relevant!
//Now I'm curious because I don't see anything here specifically referring
to FTP. There is an option to force passive connections, but it's turned off
now.
I'm slow, I need to spend more time to get iptables. I'm just throwing data
at you in the hopes that something will make assist. Let me know if there is
any output from my machine that I can send that will help.
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:bootpc
dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc
dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootps
dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp spt:bootps
dpt:bootpc
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
PUB_IN all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
PUB_OUT all -- anywhere anywhere
Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain PUB_IN (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp
destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp
time-exceeded
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
LOG tcp -- anywhere anywhere tcp dpt:telnet
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG tcp -- anywhere anywhere tcp dpt:ftp
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG tcp -- anywhere anywhere tcp dpt:imap
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG tcp -- anywhere anywhere tcp dpt:pop3
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG tcp -- anywhere anywhere tcp dpt:finger
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG tcp -- anywhere anywhere tcp dpt:sunrpc
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG tcp -- anywhere anywhere tcp dpt:exec
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG tcp -- anywhere anywhere tcp dpt:login
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG tcp -- anywhere anywhere tcp dpt:tacnews
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG tcp -- anywhere anywhere tcp dpt:ssh
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
LOG udp -- anywhere anywhere udp dpt:31337
state INVALID,NEW limit: avg 5/sec burst 8 LOG level warning prefix `audit'
DROP icmp -- anywhere anywhere
DROP all -- anywhere anywhere
Chain PUB_OUT (3 references)
target prot opt source destination
REJECT icmp -- anywhere anywhere icmp
destination-unreachable reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere icmp
time-exceeded reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere
Then I looked at the source for the script that's running, here's the only
thing I found referring to ftp
# Uncomment this to really, truly block active FTP
# (shouldn't be necessary if ip_conntrack_ftp does its job)
#if [ ${FORCE_PASV_FTP} = "Y" ]; then
# [ "${LOG_FAILURES}" = "Y" ] && \
# ${IPTABLES} -A INPUT -p tcp --dport 1024: -s 0.0.0.0/0 --sport ftp-data
-j LOG --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num
# ${IPTABLES} -A INPUT -p tcp --dport 1024: -s 0.0.0.0/0 --sport ftp-data
-j ${REJECT_METHOD}
#fi
...and as a comparison, I found this snippet
here:http://www.cs.princeton.edu/~jns/security/iptables/
## FTP
<SNIP>
# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local
machine, to a port >1023
# on the remote machine previously passed over the ftp channel via a PORT
command. The
# ip_conntrack_ftp module recognizes the connection as RELATED to the
original outgoing
# connection to port 21 so we don't need NEW as a state match.
iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT
maybe something in all that will help!
----Original Message Follows----
From: "Jim Roland" <jroland@roland.net>
Thanks, but that is not the cause of my problem. Enabling PASV commands at
my ftp client on the inside of the firewall results in blocked connections
to the outside world. Iptables of course is very manual in nature.
----- Original Message -----
From: "grottoBoy rant" <stylerzz@hotmail.com>
To: <jroland@roland.net>; <linux-net@vger.kernel.org>;
<linux-admin@vger.kernel.org>
Sent: Sunday, August 12, 2001 8:33 PM
Subject: Re: Passive FTP and iptables
>
> If it helps, I had a similar problem. I'm using a Bastille firewall
script
> that came with my distro of Mandrake 8.0. I couldn't figure out how to
get
> Active FTP to work... However, I enabled passive mode on the client ftp
> proggie itself. This worked for the Mac client I was using. (Fetch)
>
> thx
>
>
> ----Original Message Follows----
>
>
> I recently upgraded a RH61 firewall to RH71 and preferred to use iptables
> since the portforwarding modules in ipchains/ipmasqadm are not available
> with kernel 2.4.
>
> Here is my setup (question to follow):
> eth0 = "inside" NIC
> eth1 = "outside" NIC
> Simple arrangement for Masquerading:
> iptables -t nat -I POSTROUTING -j MASQUERADE -i eth0
> ** I have portforwarding working fine on the system, but it's not
relevant
> to my problem.
> ** There is another firewall between this box and the internet that is
doing
> the actual blocking of most ports (this is for the benefit of those of
you
> wanting to send a "open firewall is a bad idea" email--I am
> double-perimitered--the external does the hard work...The network is
> properly configured at the exterior firewall just fine and is "mostly
> closed". The box in question is merely a MASQ and Proxy (squid)).
>
> -------------------
>
> Moving right along...
>
> With the lack of simple and coherent iptables documentation (I found
several
> HOWTOs, including a good page at a princeton.edu discussing passive ftp),
I
> was able to finally make "active" FTP work (the flavor of FTP using only
> ports 20:21). I accomplished this by insmoding ip_nat_ftp and
> ip_conntrack_ftp.
>
> -------------------
>
> My problem:
> In passive mode, my FTP clients are able to obtain a control connection
and
> login, but are unable to receive data (even a "dir" or "ls" fails). I
know
> this is because the passive port (arbitrary) is being denied, but I am
> unable to make the ip_nat_ftp and ip_conntrack_ftp modules "see" the
passive
> action. Active FTP (port 20:21 only) works just fine.
>
> The Princeton.edu page shows iptables command samples for utilizing the
same
> box (assumed single-homed box--this is a dual-homed box and forwarding
> packets between eth0 and eth1), but does not show a real firewall box
> situation.
>
> What iptables commands do I need to use to make passive FTP work?
>
> Regards,
> Jim Roland, RHCE
>
> -
> : send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp
>
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
