FTP is one of the most difficult protocols to get through a firewall. To begin with, are you using the netfilter ftp connection tracking module? $MODPROBE ip_conntrack_ftp Start with this. If you need more help let me know. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Jose Nuno Neto Sent: Friday, October 24, 2003 7:15 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: FTP SERVER ACCESS Hi, I have a friewall script from http://www.rfxnetworks.com/apf.php I've followed intructions and have access to everythin i wnat except for FTP Server Can anyone point what ports/action must i do? thanx ------------------------------------------- iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination IN_UNCLEAN all -- anywhere anywhere unclean ACCEPT all -- anywhere anywhere TELNET_LOG tcp -- anywhere anywhere tcp dpt:telnet state NEW SSH_LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW DROP all -- 1.0.0.0/8 anywhere DROP all -- 2.0.0.0/8 anywhere DROP all -- 5.0.0.0/8 anywhere DROP all -- 7.0.0.0/8 anywhere DROP all -- 23.0.0.0/8 anywhere DROP all -- 27.0.0.0/8 anywhere DROP all -- 31.0.0.0/8 anywhere DROP all -- 36.0.0.0/8 anywhere DROP all -- 37.0.0.0/8 anywhere DROP all -- 39.0.0.0/8 anywhere DROP all -- 41.0.0.0/8 anywhere DROP all -- 42.0.0.0/8 anywhere DROP all -- 58.0.0.0/8 anywhere DROP all -- 59.0.0.0/8 anywhere DROP all -- 60.0.0.0/8 anywhere DROP all -- 70.0.0.0/8 anywhere DROP all -- 71.0.0.0/8 anywhere DROP all -- 72.0.0.0/8 anywhere DROP all -- 73.0.0.0/8 anywhere DROP all -- 74.0.0.0/8 anywhere DROP all -- 75.0.0.0/8 anywhere DROP all -- 76.0.0.0/8 anywhere DROP all -- 77.0.0.0/8 anywhere DROP all -- 78.0.0.0/8 anywhere DROP all -- 78.0.0.0/8 anywhere DROP all -- 79.0.0.0/8 anywhere DROP all -- 83.0.0.0/8 anywhere DROP all -- 84.0.0.0/8 anywhere DROP all -- 85.0.0.0/8 anywhere DROP all -- 86.0.0.0/8 anywhere DROP all -- 87.0.0.0/8 anywhere DROP all -- 88.0.0.0/8 anywhere DROP all -- 89.0.0.0/8 anywhere DROP all -- 90.0.0.0/8 anywhere DROP all -- 91.0.0.0/8 anywhere DROP all -- 92.0.0.0/8 anywhere DROP all -- 93.0.0.0/8 anywhere DROP all -- 94.0.0.0/8 anywhere DROP all -- 95.0.0.0/8 anywhere DROP all -- 96.0.0.0/8 anywhere DROP all -- 97.0.0.0/8 anywhere DROP all -- 98.0.0.0/8 anywhere DROP all -- 99.0.0.0/8 anywhere DROP all -- 100.0.0.0/8 anywhere DROP all -- 101.0.0.0/8 anywhere DROP all -- 102.0.0.0/8 anywhere DROP all -- 103.0.0.0/8 anywhere DROP all -- 104.0.0.0/8 anywhere DROP all -- 105.0.0.0/8 anywhere DROP all -- 106.0.0.0/8 anywhere DROP all -- 107.0.0.0/8 anywhere DROP all -- 108.0.0.0/8 anywhere DROP all -- 109.0.0.0/8 anywhere DROP all -- 110.0.0.0/8 anywhere DROP all -- 111.0.0.0/8 anywhere DROP all -- 112.0.0.0/8 anywhere DROP all -- 113.0.0.0/8 anywhere DROP all -- 114.0.0.0/8 anywhere DROP all -- 115.0.0.0/8 anywhere DROP all -- 116.0.0.0/8 anywhere DROP all -- 117.0.0.0/8 anywhere DROP all -- 118.0.0.0/8 anywhere DROP all -- 119.0.0.0/8 anywhere DROP all -- 120.0.0.0/8 anywhere DROP all -- 121.0.0.0/8 anywhere DROP all -- 122.0.0.0/8 anywhere DROP all -- 123.0.0.0/8 anywhere DROP all -- 124.0.0.0/8 anywhere DROP all -- 124.0.0.0/8 anywhere DROP all -- 125.0.0.0/8 anywhere DROP all -- 126.0.0.0/8 anywhere DROP all -- 128.66.0.0/16 anywhere DROP all -- 172.16.0.0/12 anywhere DROP all -- 197.0.0.0/8 anywhere DROP all -- 221.0.0.0/8 anywhere DROP all -- 222.0.0.0/8 anywhere DROP all -- 223.0.0.0/8 anywhere DROP all -- 240.0.0.0/4 anywhere DROP tcp -- anywhere anywhere multiport dports smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274 44,31335 DROP udp -- anywhere anywhere multiport dports smux,snmp,31337,33270,1234,6711,16660,60001,12345,12346,ingreslock,27665,274 44,31335 DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8 LD all -- 255.255.255.255 anywhere LD all -- anywhere 0.0.0.0 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN DROP all -- anywhere anywhere state INVALID DROP tcp -- anywhere anywhere tcp option=64 DROP tcp -- anywhere anywhere tcp option=128 FUDP udp -f anywhere anywhere PZ udp -- anywhere anywhere udp dpt:0 PZ tcp -- anywhere anywhere tcp dpt:0 REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp dpt:auth reject-with icmp-port-unreachable DROP udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm DROP udp -- anywhere 255.255.255.255 ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1023:65535 ACCEPT tcp -- anywhere anywhere tcp dpts:1023:65535 state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpts:1023:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ssh dpts:login:65535 state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpt:ssh state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:1023:65535 dpt:ftp state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp-data ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:domain ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3 ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638 ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp dpt:ftp-data ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp dpt:domain ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp redirect ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT icmp -- anywhere anywhere icmp type 30 ACCEPT icmp -- anywhere anywhere icmp echo-request DROP icmp -- anywhere anywhere ACCEPT udp -- anywhere anywhere udp dpts:traceroute:33523 ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp-data ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ftp ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:ssh ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:smtp ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:domain ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:http ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:https ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:pop3 ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:imap ACCEPT tcp -- anywhere xxx.SERVER.IP.xxx tcp dpt:19638 ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp dpt:ftp-data ACCEPT udp -- anywhere xxx.SERVER.IP.xxx udp dpt:domain DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW UDP_POL udp -- anywhere anywhere TCP_POL tcp -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination OUT_UNCLEAN all -- anywhere anywhere unclean ACCEPT all -- anywhere anywhere DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8 LD all -- 255.255.255.255 anywhere LD all -- anywhere 0.0.0.0 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN DROP tcp -- anywhere anywhere tcp flags:PSH,ACK/PSH DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG FUDP udp -f anywhere anywhere PZ udp -- anywhere anywhere udp dpt:0 PZ tcp -- anywhere anywhere tcp dpt:0 ACCEPT udp -- anywhere anywhere udp spts:1023:65535 dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpts:1023:65535 state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpts:1023:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spt:ftp dpts:1023:65535 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere multiport dports ftp,ftp-data state RELATED,ESTABLISHED ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp-data ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpts:1000:40000 ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp-data ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:domain ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp-data ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:ftp ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:smtp ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:http ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpt:https ACCEPT tcp -- xxx.SERVER.IP.xxx anywhere tcp dpts:1000:40000 ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp-data ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:ftp ACCEPT udp -- xxx.SERVER.IP.xxx anywhere udp dpt:domain DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW ACCEPT icmp -- anywhere anywhere DROP all -- anywhere anywhere Chain FUDP (2 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `** UDP Frag **' DROP all -- anywhere anywhere Chain IN_UNCLEAN (1 references) target prot opt source destination UNCLEAN all -- anywhere anywhere LOG all -- anywhere anywhere LOG level warning prefix `** UNCLEAN ** ' Chain LA (0 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning ACCEPT all -- anywhere anywhere Chain LD (4 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning DROP all -- anywhere anywhere Chain OUT_UNCLEAN (1 references) target prot opt source destination UNCLEAN all -- anywhere anywhere LOG all -- anywhere anywhere LOG level warning prefix `** UNCLEAN ** ' Chain PZ (4 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `** Port Zero **' DROP all -- anywhere anywhere Chain SANITY (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain SSH_LOG (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `** SSH ** ' Chain STATE (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW DROP all -- anywhere anywhere Chain TCP_POL (1 references) target prot opt source destination LOG tcp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `** TCP DROP ** ' DROP all -- anywhere anywhere Chain TELNET_LOG (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `** TELNET ** ' Chain UDP_POL (1 references) target prot opt source destination LOG udp -- anywhere anywhere limit: avg 1/sec burst 5 LOG level warning prefix `** UDP DROP ** ' DROP all -- anywhere anywhere Chain UNCLEAN (2 references) target prot opt source destination DROP all -- anywhere anywhere
