|
It would appear you are assuming the FTP server will
choose port 1024 for passive mode ftp. This is not correct, as it may
choose any unprivileged port up to 65535. That is one problem you are
having. Also, check your syntax for "passive mode". You have made an
error with some not needed colons (:).
Here is a good rule set that will permit all ftp
operations - active and passive:
######################
# FTP SERVICES ###################### UNPRIVPORTS="1024:65535"
# CONTROL PORT
(Active & Passive Mode)
$IPT -t filter -A
TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port
21 -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP ACCESS
-> "
$IPT -t filter -A
TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port
21 -m state --state NEW -j ACCEPT
# DATA PORT
(Active Mode)
$IPT -t filter -A TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20 --destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP A-DATA -> " $IPT -t filter -A
TCP_RULES -o $FW_INET_IFACE -p tcp --source-port 20 --destination-port
$UNPRIVPORTS -m state --state NEW -j ACCEPT
# DATA PORT
(Passive Mode)
$IPT -t filter -A TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port $UNPRIVPORTS -m state --state NEW -j LOG --log-level $LOG_LEVEL --log-prefix "FTP P-DATA -> " $IPT -t filter -A
TCP_RULES -i $FW_INET_IFACE -p tcp --source-port $UNPRIVPORTS --destination-port
$UNPRIVPORTS -m state --state NEW -j ACCEPT From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Christian Gmeiner Sent: Tuesday, January 20, 2004 8:01 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Problem with connection-tracking and FTP Hi everybody.
I am working on a little firewall script.
Everything works just fine, but i dont get the ftp protocoll
working.
I call this two function to get ftp
working:
#
==================================
FTP() { ebegin "Seting rules for active/passive FTP" # Port 21
iptables -A
INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # aktiv
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # passiv
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT eend $?
} # ================================== loadmodules() { ebegin "Try to load needed modules" /sbin/modprobe ip_tables
/sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ipt_ULOG eend $? } An here my start function
# ==================================
start() { ebegin "Starting Firewall" loadmodules
einfo "Setting default rules to
drop"
iptables -F iptables -X iptables -Z iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -P FORWARD DROP
iptables -P INPUT DROP iptables -P OUTPUT DROP acceptlocal
portscan proc iana illigalpackages spoofing FTP # set rules
InOutTCP InTCP OutTCP InOutUDP InUDP OutUDP # Erlaube dem Client routen durch NAT (Network Address
Translation
iptables -t nat -A POSTROUTING -o ${EXT_INT} -j MASQUERADE echo "1" > /proc/sys/net/ipv4/ip_forward eend $? "Failed to start Firewall"
} And here are the ports i allow with the function InOut*, In*,
Out*,...
# TCP in+out
# TCP_IN_OUT="ssh 10000 smtp pop3 http https" # TCP out
# # 5190 = ICQ # TCP_OUT="5190 http https irc 25 ftp ftp-data" # TCP in
# TCP_IN="" # UDP in+out
# UDP_IN_OUT="domain ssh 10000 pop3 ssh" # UDP out
# UDP_OUT="https irc" # UDP in
# UDP_IN="" Oh and here some important functions:
#
==================================
InOutTCP() { ebegin "Allowing in and outbound TCP-traffic" for i in ${TCP_IN_OUT}
do einfo " <-> Seting TCP "in" and "out" rules for ${i}" iptables -A INPUT -j
ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state
NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} --dport 1024: -m state --state ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --dport ${i} -m state --state NEW,ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED iptables -A OUTPUT -j ACCEPT -o
${EXT_INT} -p tcp --sport 1024: --dport ${i} -m state --state
NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -m state --state ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport ${i} -m state --state NEW,ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport ${i} -d ${LAN} -m state --state ESTABLISHED,RELATED done eend $?
} # ==================================
OutTCP() { ebegin "Allowing outbound TCP-traffic" for i in ${TCP_OUT}
do einfo " <-> Seting TCP "out" rules for ${i}" iptables -A OUTPUT -j ACCEPT -o
${EXT_INT} -p tcp --sport 1024: --dport $i -m state --state
NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -m state --state ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -o ${EXT_INT} -p tcp -s ${LAN} --sport 1024: --dport $i -m state --state NEW,ESTABLISHED,RELATED iptables -A FORWARD -j ACCEPT -i ${EXT_INT} -p tcp --sport $i -d ${LAN} -m state --state ESTABLISHED,RELATED done eend $?
} I hope somebody can help me.
Thanks, Christian Gmeiner
|
