Thanks a lot for all the details but I still get some problems. As I
said it all the netfilter source code is compiled in a custom kernel
without any modules.
Concerning the little iptables script I have written, I updated it with
your comments and now I get the next script
[snip]
if [ "$CONN_TRACK" = "1" ]; then $fw -A INPUT -m state --state ESTABLISHED -j ACCEPT $fw -A OUTPUT -m state --state ESTABLISHE -j ACCEPT $fw -A FORWARD -m state --state ESTABLISHED -j ACCEPT $fw -A INPUT -p icmp -m state --state RELATED -j ACCEPT fi
Add these too:
$fw -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT $fw -A FORWARD -p icmp -m state --state RELATED -j ACCEPT
... but the connection takes a long time to terminate. If I disable all the rules, ftp connection goes directly but with iptables enabled it takes such 8 seconds to accomplish the annonymomus connection ( with data port and passive models ).
What is this all about ???
You could use a bit of logging. Add these as last rules (at the very end of your script):
iptables -A INPUT -j LOG --log-prefix "INPUT " iptables -A OUTPUT -j LOG --log-prefix "OUTPUT " iptables -A FORWARD -j LOG --log-prefix "FORWARD "
Logs will go wherever your kernel logs go. Usually /var/log/messages.
Since these will be at the end of your rules, they will log all packets dropped by policy just before they are dropped. My guess is that you will either find TCP SYN packets to port 113 (ident) or UDP packets to port 53 (DNS).
To silently disable ident (incoming and outgoing) on FTP server, you could do something like this (you can add line for FORWARDED packets, if you wish):
iptables -A INPUT -p tcp --sport 1024: --dport 113 \ -j REJECT --reject-with tcp-reset iptables -A OUTPUT -p tcp --sport 1024: --dport 113 \ -j REJECT --reject-with tcp-reset iptables -A OUTPUT -p tcp --sport 113 --dport 1024: \ -m state --state RELATED -j ACCEPT
If you want your FTP server to be able to resolve names and reverse lookup IP addresses:
iptables -A OUTPUT -p udp --sport 1024: --dport 53 \ -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --sport 1024: --dport 53 \ -m state --state NEW -j ACCEPT
(you can add IP address(es) of your DNS server(s) there)
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7