RE: Allow active and passive FTP connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is one of the first iptables firewalls I made (2-3 years ago) and
it does exactly that.
Let me know if it works for you, thanks.

fw_start() { 
#######################################
# STEP 1 - SET VARIABLES 
#######################################
# YOUR LOCAL LOOPBACK DEVICE
LB="lo"
# YOUR PRIVATE INTERFACE 
LAN="eth0"
# YOUR PRIVATE LAN IP
LIP="192.168.0.253"
# YOUR LOCAL AREA NETWORK
LSAT="192.168.0.0/24"
# YOUR INTERNET INTERFACE
INET="eth1"
# THE PATH TO IPTABLES
IPTABLES="/usr/sbin/iptables"
#######################################
# STEP 2 - TURN ON IP FORWARDING
#######################################
echo "1" > /proc/sys/net/ipv4/ip_forward
#######################################
# STEP 3 - FLUSH EXISTING RULES
#######################################
$IPTABLES --flush INPUT 
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
#######################################
# STEP 4 - SET DEFAULT POLICIES
#######################################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################
# STEP 5 - CREATE DEFAULT BLOCK CHAIN 
#######################################
$IPTABLES -N BLOCK 
$IPTABLES -A BLOCK -j LOG --log-level 3 --log-prefix "BLOCK: "
$IPTABLES -A BLOCK -j DROP
#######################################
# STEP 6 - SETUP MASQUERADING
#######################################
$IPTABLES -t nat -A POSTROUTING -o $INET -j MASQUERADE
#######################################
# STEP 7 - ALLOW LOCAL ENTITIES 
#######################################
# ALLOW LOOPBACK
$IPTABLES -A INPUT -i $LB -j ACCEPT 
# ALLOW LOCAL AREA NETWORK
$IPTABLES -A INPUT -i $LAN -s $LSAT -j ACCEPT
#######################################
# STEP 8 - ALLOW SPECIFC TRAFFIC
#######################################
# EXAMPLE OF WHERE AND HOW TO ALLOW INBOUND TRAFFIC.
$IPTABLES -A INPUT -i $INET -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i $INET -p tcp --dport 22 -j ACCEPT
#######################################
# STEP 9 - ALLOW IN WHAT WE SEND OUT
#######################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#######################################
# STEP 10 - DENY EVERYTHING NOT ALLOWED
#######################################
$IPTABLES -A INPUT -j BLOCK
#######################################
} 

fw_stop() {
IPTABLES="/usr/sbin/iptables"
$IPTABLES --flush INPUT
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
$IPTABLES --flush BLOCK
$IPTABLES --delete-chain BLOCK
}

fw_restart() {
  fw_stop
  fw_start
}
 
case "$1" in
'start')
  fw_start
  ;;
'stop')
  fw_stop
  ;;
'restart')
  fw_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac


-----Original Message-----
From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Sagara
Wijetunga
Sent: Monday, June 21, 2004 6:57 AM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: RE: Allow active and passive FTP connections

--- Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> Are you sure, you run the kernel indicated?
> 
uname -a
Linux svr1.myDomain 2.6.7 ...

> How did you compile iptables-1.2.10? There was a bug
> introduced in
> linux-2.6.7, which prevented anyone to compile the
> iptables source
> using linux-2.6.7.
> 
I exported the variable CC before I compile iptables
as follows:

CC="gcc -D__user= "
export CC

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man KERNEL_DIR=/usr/src/linux-2.6.7
>& iptables-make.log

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man install
KERNEL_DIR=/usr/src/linux-2.6.7  >&
iptables-install.log

Anyway, my problem is nothing to do with Linux kernel
2.6.7. The RELATED did not work on kernel 2.6.5 and
iptables 1.2.9. That's why I upgraded the kernel and
the iptables.

> > > You should post the complete list of your rules
> in
> > > all of the tables.
> > >
> > 	/sbin/iptables -P INPUT DROP
> > 	/sbin/iptables -P FORWARD DROP
> > 	/sbin/iptables -P OUTPUT DROP
> 
> What about the nat/mangle/raw tables?
> 
I do not use NAT. It does not operate as a router.
Therefore, no IP forwarding. It's not connected to any
office LAN. Access is only thru the eth0.

I'm not sure about mangle and raw tables. My intention
is to allow access only to the services I offer.

Do I have to use mangle and raw tables? 

Could you kindly write for me a complete iptables
firewall allowing access ONLY to the FTP and ssh? I
know this is a crazy request. But I can implement it
on my server and test. So our test firewall should be
able to accept active as well as passive FTP client
connections for file upload and download and ssh
access for me to manipulate the server.

Kind regards
Sagara


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux