[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Problemer med ftp-adgang gennem iptables firewall



Hejsa!

Jeg har et netfilter script, der ser ud som nedenstående.

Problemet er, at jeg ikke kan connecte til remote FTP servere.

Jeg prøver at hindre uovervåget adgang til HTTP og FTP servere ved at
tvinge dem til at gå via squid.

Jeg kan godt få forbindelse fra firewallen.

Men hvis jeg prøver fra de andre får jeg noget lignende:

ftp ftp.etellerandet
Connected to ftp.etellerandet.
220-FTP server ready.
220 This is a private system - No anonymous login
Name (ftp.etellerandet:jan): minbruger
331 User minbruger OK. Password required
Password:
230-User minbruger has group access to:  etellerandet
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> send *.php
local: index.php remote: index.php
227 Entering Passive Mode (xxx,xx,xxx,xx,xxx,xxx)
ftp: connect: Connection timed out

og firewallen siger :

Mar 17 14:04:45 peter kernel: allow_forward: IN=eth0 OUT=eth1
SRC=192.168.100.yy DST=xxx.xx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=24079 DF PROTO=TCP SPT=33527 DPT=63642 WINDOW=5840 RES=0x00 SYN
URGP=0
Mar 17 14:04:48 peter kernel: allow_forward: IN=eth0 OUT=eth1
SRC=192.168.100.yy DST=xxx.Xx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=24080 DF PROTO=TCP SPT=33527 DPT=63642 WINDOW=5840 RES=0x00 SYN
URGP=0
Mar 17 14:04:54 peter kernel: allow_forward: IN=eth0 OUT=eth1
SRC=192.168.100.yy DST=xxx.xx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=24081 DF PROTO=TCP SPT=33527 DPT=63642 WINDOW=5840 RES=0x00 SYN
URGP=0
Mar 17 14:05:06 peter kernel: allow_forward: IN=eth0 OUT=eth1
SRC=192.168.100.yy DST=xxx.xx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=24082 DF PROTO=TCP SPT=33527 DPT=63642 WINDOW=5840 RES=0x00 SYN
URGP=0
Mar 17 14:05:30 peter kernel: allow_forward: IN=eth0 OUT=eth1
SRC=192.168.100.yy DST=xxx.xx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=24083 DF PROTO=TCP SPT=33527 DPT=63642 WINDOW=5840 RES=0x00 SYN
URGP=0
Mar 17 14:06:18 peter kernel: allow_forward: IN=eth0 OUT=eth1
SRC=192.168.100.yy DST=xxx.xx.xxx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=63
ID=24084 DF PROTO=TCP SPT=33527 DPT=63642 WINDOW=5840 RES=0x00 SYN
URGP=0


-------------------------------------------------------------------
#!/bin/sh
#
# Configure safe networking practices for Linux 2.4
#
# chkconfig: - 06 90
# description: Setup firewalling and network security
#
# To install this on a Red Hat system, save this script as
# /etc/rc.d/init.d/securenet, then run the commands
#
#   chmod 755 /etc/rc.d/init.d/securenet
#   /sbin/chkconfig --add securenet
#   /sbin/chkconfig --level 2345 securenet on
#
# The "iptables" command is available from
http://netfilter.kernelnotes.org/
# An rpm-package is available from Red Hat's contrib-section
#
# Henrik Størner, sslug@sslug
#

PATH=/bin:/sbin:/usr/bin:/usr/sbin


####################
# Configuration
#
# Need to know which ethX is external,
# and which is internal
####################
NET_INTERN=eth0
NET_EXTERN=eth1


#########################################
# First setup some of the kernel features
#########################################

# Disable forwarding - this is for a standalone system.
# (For masquerading, see below).
echo "0" >/proc/sys/net/ipv4/ip_forward

# Enable syn-cookies (syn-flooding attacks)
echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Shut off source-routing and enable IP spoof detection
# It seems that this must be done for all network interfaces
for f in /proc/sys/net/ipv4/conf/*; do
   # Drop all source-routed packets
   echo "0" >$f/accept_source_route

   # Enable source-address verification (anti spoofing).
   echo "1" >$f/rp_filter
done


######################
# Setup IP firewalling
######################

# Default policies
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Create a chain for the INPUT handling
iptables -N allow_input
iptables -F allow_input

# Create a chain for the FORWARD handling
iptables -N allow_forward
iptables -F allow_forward

# Allow all traffic on lo
iptables -A allow_input -j ACCEPT -i lo

# Allow forwarding of HTTP, HTTPS and FTP requests through the squid
proxy (only)
iptables -A allow_forward -j ACCEPT --protocol tcp --source
192.168.100.z --destination-port 80
iptables -A allow_forward -j ACCEPT --protocol tcp --source
192.168.100.z --destination-port 443
iptables -A allow_forward -j ACCEPT --protocol tcp --source
192.168.100.z --destination-port 20:21
iptables -A allow_forward -j ACCEPT --protocol tcp --source
192.168.100.yy --destination-port 20:21

# Allow traffic on established connections
iptables -A allow_input -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allow_forward -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow new connections if not from the outside
# Allow ssh (secure shell)
iptables -A allow_forward --protocol tcp --dport 22 -m state --state NEW
-i $NET_INTERN -j ACCEPT
iptables -A allow_forward --protocol udp --dport 22 -m state --state NEW
-i $NET_INTERN -j ACCEPT
# Allow smtp (simple mail transfer protocol)
iptables -A allow_forward --protocol tcp --dport 25 -m state --state NEW
-i $NET_INTERN -j ACCEPT
iptables -A allow_forward --protocol udp --dport 25 -m state --state NEW
-i $NET_INTERN -j ACCEPT
# Allow pop3 ()
iptables -A allow_forward --protocol tcp --dport 110 -m state --state
NEW -i $NET_INTERN -j ACCEPT
iptables -A allow_forward --protocol udp --dport 110 -m state --state
NEW -i $NET_INTERN -j ACCEPT
# Allow nntp (network news transfer protocol)
iptables -A allow_forward --protocol tcp --dport 119 -m state --state
NEW -i $NET_INTERN -j ACCEPT
iptables -A allow_forward --protocol udp --dport 119 -m state --state
NEW -i $NET_INTERN -j ACCEPT
# Allow ntp (network time protocol
iptables -A allow_forward --protocol tcp --dport 123 -m state --state
NEW -i $NET_INTERN -j ACCEPT
iptables -A allow_forward --protocol udp --dport 123 -m state --state
NEW -i $NET_INTERN -j ACCEPT
# Allow imap (internet message access protocol
iptables -A allow_forward --protocol tcp --dport 143 -m state --state
NEW -i $NET_INTERN -j ACCEPT
iptables -A allow_forward --protocol udp --dport 143 -m state --state
NEW -i $NET_INTERN -j ACCEPT
# Allow IRC
iptables -A allow_forward --protocol tcp --dport 6667 -m state --state
NEW -j ACCEPT

# Allow Skype
iptables -A allow_forward --protocol tcp --sport 10597 -m state --state
NEW -j ACCEPT
#iptables -A allow_forward --protocol tcp --dport 10597 -m state --state
NEW -j ACCEPT
iptables -A allow_forward --protocol udp --sport 10597 -m state --state
NEW -j ACCEPT

# Allow Distributed.net
iptables -A allow_forward --protocol tcp --dport 2064 -m state --state
NEW -j ACCEPT

# Allow Steam
iptables -A allow_forward --protocol udp --destination-port 27000:27015
-i $NET_INTERN -j ACCEPT
iptables -A allow_forward --protocol tcp --destination-port 27020:27039
-i $NET_INTERN -j ACCEPT

# Allow ssh connections to this server
iptables -A allow_input --protocol tcp --destination-port 22 -i
$NET_INTERN -j ACCEPT
iptables -A allow_input --protocol udp --destination-port 22 -i
$NET_INTERN -j ACCEPT

# Allow DNS connections to this server
iptables -A allow_input --protocol tcp --destination-port 53 -i
$NET_INTERN -j ACCEPT
iptables -A allow_input --protocol udp --destination-port 53 -i
$NET_INTERN -j ACCEPT

# Allow NTP (Network Time Protocol) connections to this server
iptables -A allow_input --protocol udp --destination-port 123 -i
$NET_INTERN -j ACCEPT

# Allow Gnutella to and from Melvin (192.168.100.ww)
iptables -A allow_forward --protocol tcp --destination 192.168.100.ww
--destination-port 6346 -i $NET_INTERN -j ACCEPT
iptables -A allow_forward --protocol tcp --source 192.168.100.ww
--destination-port 6346 -i $NET_INTERN -j ACCEPT

# Allow ares to and from Melvin (192.168.100.ww)
iptables -A allow_forward --protocol tcp --destination 192.168.100.ww
--destination-port 23772 -i $NET_INTERN -j ACCEPT
iptables -A allow_forward --protocol tcp --source 192.168.100.ww
--destination-port 23772 -i $NET_INTERN -j ACCEPT

# Allow new connections to our public http service
# For home users there are normally none
#
# How to do this depends on whether the service is running on the
# firewall host itself, or on another system "behind" the firewall
# (on the internal LAN, or a separate network segment - so called DMZ).
#
# The following command is needed in both cases:
# iptables -A allow_input -m state --protocol tcp --state NEW -i
$NET_EXTERN --destination-port http -j ACCEPT
# If the service is running on another host (here: 192.168.11.22), you
must
# do "port forwarding" like this (no need for ipmasqadm anymore):
# iptables -t nat -A PREROUTING --protocol tcp -i $NET_EXTERN
--destination-port http -j DNAT --to 192.168.100.2

# Allow "lookups" from ISP
iptables -A allow_input --source 10.0.0.1 --destination 10.0.0.255
--protocol udp --source-port 520 --destination-port 520 -j ACCEPT

# Block anything else
# iptables -A allow_input -m --limit 3/minute --burst-limit 5/minute -j
LOG
# iptables -A allow_forward -m --limit 3/minute --burst-limit 5/minute
-j LOG
iptables -A allow_input -j LOG --log-prefix 'allow_input: '
iptables -A allow_forward -j LOG --log-prefix 'allow_forward: '

# Activate the new chain
iptables -A INPUT -j allow_input
iptables -A FORWARD -j allow_forward


####################
# Setup Masquerading
####################


# Setup NAT for outgoing connections from the local network

### NB: This is disabled by default. If you want to use     ###
###     masquerading, just remove the "###" comment-markers ###
###     from the lines below.                               ###

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o $NET_EXTERN -j MASQUERADE

#
# NB: On Red Hat systems, forwarding is controlled in /etc/sysctl.conf !
#     You need to set net.ipv4.ip_forward=1 in this file, or the
#     command below will have no effect.
#
echo "1" >/proc/sys/net/ipv4/ip_forward



 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2006-04-01, 02:03 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *