|
Hi everybody.
I am working on a little firewall script.
Everything works just fine, but i dont get the ftp protocoll
working.
I call this two function to get ftp
working:
#
==================================
FTP() { ebegin "Seting rules for active/passive FTP" # Port 21
iptables -A
INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # aktiv
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # passiv
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT eend $?
} # ================================== loadmodules() { ebegin "Try to load needed modules" /sbin/modprobe ip_tables
/sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ipt_ULOG eend $? } An here my start function
# ==================================
start() { ebegin "Starting Firewall" loadmodules
einfo "Setting default rules to
drop"
iptables -F iptables -X iptables -Z iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P FORWARD DROP
iptables -P INPUT DROP iptables -P OUTPUT DROP acceptlocal
portscan proc iana illigalpackages spoofing FTP # set rules
InOutTCP InTCP OutTCP InOutUDP InUDP OutUDP # Erlaube dem Client routen durch NAT (Network Address
Translation
iptables -t nat -A POSTROUTING -o ${EXT_INT} -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward eend $? "Failed to start Firewall"
} And here are the ports i allow with the function InOut*, In*,
Out*,...
# TCP in+out
# TCP_IN_OUT="ssh 10000 smtp pop3 http https" # TCP out
# # 5190 = ICQ # TCP_OUT="5190 http https irc 25 ftp ftp-data" # TCP in
# TCP_IN="" # UDP in+out
# UDP_IN_OUT="domain ssh 10000 pop3 ssh" # UDP out
# UDP_OUT="https irc" # UDP in
# UDP_IN="" Oh and here some important functions:
#
==================================
InOutTCP() { ebegin "Allowing in and outbound TCP-traffic" for i in ${TCP_IN_OUT}
do einfo " <-> Seting TCP "in" and "out" rules for ${i}" iptables -A INPUT -j
ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state
NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} --dport 1024: -m state --state ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED iptables -A OUTPUT -j ACCEPT -o
${EXT_INT} -p tcp --sport 1024: --dport ${i} -m state --state
NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -d ${LAN} -m state --state ESTABLISHED,RELATED done eend $?
} # ==================================
OutTCP() { ebegin "Allowing outbound TCP-traffic" for i in ${TCP_OUT}
do einfo " <-> Seting TCP "out" rules for ${i}" iptables -A OUTPUT -j ACCEPT -o
${EXT_INT} -p tcp --sport 1024: --dport $i -m state --state
NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -m state --state ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -d ${LAN} -m state --state ESTABLISHED,RELATED done eend $?
} I hope somebody can help me.
Thanks, Christian Gmeiner
|
