[NTLUG:Discuss] ftp problems through firewall
Rick Matthews
RedHat.Linux at verizon.net
Fri Mar 1 07:28:20 CST 2002
> I'm new. How would I force ftp to run in passive mode?
Same way as the old-timers. ;-)
CYFCD (Check Your FTP Client Documentation; very similar to RTFM)
man ftp
man gftp
man ncftp
man sftp
man tftp
man wget
(For ftp it;s "-p", for wget it's "--passive-ftp")
-----Original Message-----
From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
Of Raymond Norton
Sent: Thursday, February 28, 2002 9:49 PM
To: discuss at ntlug.org
Subject: Re: [NTLUG:Discuss] ftp problems through firewall
I'm new. How would I force ftp to run in passive mode?
> Try allowing port 20 through the firewall in addition to 21. If that
> does not work, try running ftp in passive mode.
>
> On Thu, 2002-02-28 at 20:59, Raymond Norton wrote:
>> I have an iptable script running on my RedHat 7.1 box. It works great
>> running my laptop through it for everything except when I try to
>> access ftp servers on the outside. I am able to connect, but I cannot
>> issue any commands with out getting an error: "Cannot connect to
>> (outside
>> interface):1294"
>>
>> Any ideas how to resolve this? I have attached the script as I run
it.
>> --
>> Raymond Norton
>> Little Crow Telemedia Network
>> 320-234-0270
>>
>> ----
>>
>
>> #!/bin/sh
>> #
>> # rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and
>> iptables #
>> # Copyright (C) 2001 Oskar Andreasson <blueflux at koffein.net> #
>> # This program is free software; you can redistribute it and/or
modify
>> # it under the terms of the GNU General Public License as published
by
>> # the Free Software Foundation; version 2 of the License.
>> #
>> # This program is distributed in the hope that it will be useful, #
>> but WITHOUT ANY WARRANTY; without even the implied warranty of #
>> MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
>> # GNU General Public License for more details.
>> #
>> # You should have received a copy of the GNU General Public License #
>> along with this program or from the site that you downloaded it #
>> from; if not, write to the Free Software Foundation, Inc., 59 Temple
#
>> Place, Suite 330, Boston, MA 02111-1307 USA
>> #
>>
>>
########################################################################
###
>> #
>> # 1. Configuration options.
>> #
>>
>>
########################################################################
###
>> #
>> # Local Area Network configuration.
>> #
>> # your LAN's IP range and localhost IP. /24 means to only use the
>> first 24 # bits of the 32 bit IP adress. the same as netmask
>> 255.255.255.0 #
>>
>> LAN_IP="192.168.0.1"
>> LAN_IP_RANGE="192.168.0.0/24"
>> LAN_BCAST_ADRESS="192.168.255.255"
>> LAN_IFACE="eth1"
>>
>>
########################################################################
###
>> #
>> # Localhost Configuration.
>> #
>>
>> LO_IFACE="lo"
>> LO_IP="127.0.0.1"
>>
>>
########################################################################
###
>> #
>> # Internet Configuration.
>> #
>>
>> INET_IP=""
>> INET_IFACE="eth0"
>>
>>
########################################################################
###
>> #
>> # IPTables Configuration.
>> #
>>
>> IPTABLES="/sbin/iptables"
>>
>>
########################################################################
###
>> #
>> # 2. Module loading.
>> #
>>
>> #
>> # Needed to initially load modules
>> #
>> /sbin/depmod -a
>>
>> #
>> # Adds some iptables targets like LOG, REJECT and MASQUARADE.
>> #
>> /sbin/modprobe ip_conntrack
>> /sbin/modprobe ip_tables
>> /sbin/modprobe iptable_filter
>> /sbin/modprobe iptable_mangle
>> /sbin/modprobe iptable_nat
>> /sbin/modprobe ipt_LOG
>> #/sbin/modprobe ipt_REJECT
>> #/sbin/modprobe ipt_MASQUERADE
>>
>> #
>> # Support for owner matching
>> #
>> #/sbin/modprobe ipt_owner
>>
>> #
>> # Support for connection tracking of FTP and IRC.
>> #
>> /sbin/modprobe ip_conntrack_ftp
>> /sbin/modprobe ip_conntrack_irc
>>
>>
>>
########################################################################
###
>> #
>> # 3. /proc set up.
>> #
>> # Enable ip_forward if you have two or more networks, including the #
>> Internet, that needs forwarding of packets through this box. This is
#
>> critical since it is turned off as default in Linux.
>> #
>>
>> echo "1" > /proc/sys/net/ipv4/ip_forward
>>
>> #
>> # Dynamic IP users:
>> #
>> #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>>
>>
########################################################################
###
>> #
>> # 4. IPTables rules set up.
>> #
>> # Set default policies for the INPUT, FORWARD and OUTPUT chains. #
>>
>> $IPTABLES -P INPUT DROP
>> $IPTABLES -P OUTPUT DROP
>> $IPTABLES -P FORWARD DROP
>>
>> #
>> # bad_tcp_packets chain
>> #
>> # Take care of bad TCP packets that we don't want.
>> #
>>
>> $IPTABLES -N bad_tcp_packets
>> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
>> LOG \ --log-prefix "New not syn:"
>> $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j
>> DROP
>>
>> #
>> # Do some checks for obviously spoofed IP's
>> #
>>
>> $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
>> $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
>> $IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP
>>
>> #
>> # Enable simple IP Forwarding and Network Address Translation
>> #
>>
>> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
>> $INET_IP
>>
>> #
>> # Bad TCP packets we don't want
>> #
>>
>> $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
>>
>> #
>> # Accept the packets we actually want to forward
>> #
>>
>> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
>> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>> $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
>> \ --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
>>
>> #
>> # Create separate chains for ICMP, TCP and UDP to traverse
>> #
>>
>> $IPTABLES -N icmp_packets
>> $IPTABLES -N tcp_packets
>> $IPTABLES -N udpincoming_packets
>>
>> #
>> # The allowed chain for TCP connections
>> #
>>
>> $IPTABLES -N allowed
>> $IPTABLES -A allowed -p TCP --syn -j ACCEPT
>> $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
>> ACCEPT $IPTABLES -A allowed -p TCP -j DROP
>>
>> #
>> # ICMP rules
>> #
>>
>> # Changed rules totally
>> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
>> $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>>
>> #
>> # TCP rules
>> #
>>
>> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
>> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
>> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
>> $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
>>
>> #
>> # UDP ports
>> #
>>
>> # nondocumented commenting out of these rules
>> #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j
>> ACCEPT #$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port
>> 123 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP -s 0/0
>> --source-port 2074 -j ACCEPT $IPTABLES -A udpincoming_packets -p UDP
>> -s 0/0 --source-port 4000 -j ACCEPT
>>
>> ##########################
>> # INPUT chain
>> #
>> # Bad TCP packets we don't want.
>> #
>>
>> $IPTABLES -A INPUT -p tcp -j bad_tcp_packets
>>
>> #
>> # Rules for incoming packets from the internet.
>> #
>>
>> $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
>> $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
>> $IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
>>
>> #
>> # Rules for special networks not part of the Internet
>> #
>>
>> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j
ACCEPT
>> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
>> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
>> $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
>> $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
>> $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
>> ESTABLISHED,RELATED \ -j ACCEPT
>> $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
>> --log-level DEBUG --log-prefix "IPT INPUT packet died: "
>>
>> ###############################
>> # OUTPUT chain
>> #
>> #
>> # Bad TCP packets we don't want.
>> #
>>
>> $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
>>
>> #
>> # Special OUTPUT rules to decide which IP's to allow.
>> #
>>
>> $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
>> $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
>> $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
>>
>> #
>> # Log weird packets that don't match the above.
>> #
>>
>> $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
\
>> --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
> --
> Alton R. Pouncey, II
--
Raymond Norton
Little Crow Telemedia Network
320-234-0270
_______________________________________________
http://www.ntlug.org/mailman/listinfo/discuss
More information about the Discuss
mailing list