On Wed, 2004-08-25 at 16:13, Aleksandar Milivojevic wrote: > Vincent Blondel wrote: > > Thanks a lot for all the details but I still get some problems. As I > > said it all the netfilter source code is compiled in a custom kernel > > without any modules. > > > > Concerning the little iptables script I have written, I updated it with > > your comments and now I get the next script > > [snip] > > > if [ "$CONN_TRACK" = "1" ]; then > > $fw -A INPUT -m state --state ESTABLISHED -j ACCEPT > > $fw -A OUTPUT -m state --state ESTABLISHE -j ACCEPT > > $fw -A FORWARD -m state --state ESTABLISHED -j ACCEPT > > $fw -A INPUT -p icmp -m state --state RELATED -j ACCEPT > > fi > > Add these too: > > $fw -A OUTPUT -p icmp -m state --state RELATED -j ACCEPT > $fw -A FORWARD -p icmp -m state --state RELATED -j ACCEPT > > > ... but the connection takes a long time to terminate. If I disable all > > the rules, ftp connection goes directly but with iptables enabled it > > takes such 8 seconds to accomplish the annonymomus connection ( with > > data port and passive models ). > > > > What is this all about ??? > > You could use a bit of logging. Add these as last rules (at the very > end of your script): > > iptables -A INPUT -j LOG --log-prefix "INPUT " > iptables -A OUTPUT -j LOG --log-prefix "OUTPUT " > iptables -A FORWARD -j LOG --log-prefix "FORWARD " > > Logs will go wherever your kernel logs go. Usually /var/log/messages. > > Since these will be at the end of your rules, they will log all packets > dropped by policy just before they are dropped. My guess is that you > will either find TCP SYN packets to port 113 (ident) or UDP packets to > port 53 (DNS). > > To silently disable ident (incoming and outgoing) on FTP server, you > could do something like this (you can add line for FORWARDED packets, if > you wish): > > iptables -A INPUT -p tcp --sport 1024: --dport 113 \ > -j REJECT --reject-with tcp-reset > iptables -A OUTPUT -p tcp --sport 1024: --dport 113 \ > -j REJECT --reject-with tcp-reset > iptables -A OUTPUT -p tcp --sport 113 --dport 1024: \ > -m state --state RELATED -j ACCEPT > > If you want your FTP server to be able to resolve names and reverse > lookup IP addresses: > > iptables -A OUTPUT -p udp --sport 1024: --dport 53 \ > -m state --state NEW -j ACCEPT > iptables -A OUTPUT -p tcp --sport 1024: --dport 53 \ > -m state --state NEW -j ACCEPT > > (you can add IP address(es) of your DNS server(s) there) this is the result from /var/log/sys.log on my firewall with logging enabled without anything else changed. Aug 25 16:56:20 lfs kernel: device eth0 entered promiscuous mode Aug 25 16:56:23 lfs kernel: FORWARD IN=eth1 OUT=eth0 SRC=192.168.125.1 DST=192.168.124.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10297 DF PROTO=TCP SPT=33306 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 25 16:56:26 lfs kernel: FORWARD IN=eth1 OUT=eth0 SRC=192.168.125.1 DST=192.168.124.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10298 DF PROTO=TCP SPT=33306 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 25 16:56:32 lfs kernel: FORWARD IN=eth1 OUT=eth0 SRC=192.168.125.1 DST=192.168.124.1 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10299 DF PROTO=TCP SPT=33306 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 Aug 25 16:56:37 lfs kernel: device eth0 left promiscuous mode
