Re: How to work with my iptables script

To: Jacob Friis Larsen <jfl@list.idg.dk>, debian-firewall@lists.debian.org
Subject: Re: How to work with my iptables script
From: Mike Mestnik <cheako911@yahoo.com>
Date: Wed, 25 Aug 2004 19:42:51 -0700 (PDT)
Message-id: <[🔎] 20040826024251.40203.qmail@web11906.mail.yahoo.com>
In-reply-to: <[🔎] 412C2C07.4020806@list.idg.dk>

  This is true that your not forwarding any thing, here.  You the also are
not doing any nat.  The ip_nat_ftp is then not needed.

  ip_conntrack_ftp will let you do active FTP, but AFAIK you can't do
passive FTP from 1.2.3.4.  Most ftp servers now drop root privs after
authenticate, thus are not able to listen on 20.  Even if a listening port
20 FD is inhareted, it won't get any connections and only one socket can 
exist.

  Also dose "/etc/init.d/iptables save" reflect the proc->ip_forward
setting?  Change /etc/network/options, that is where I set this.

--- Jacob Friis Larsen <jfl@list.idg.dk> wrote:

> By the help of http://iptables-script.dk/ I have created the script
> below.
> 
> Is this the correct way to work with it:
> - Store it in /root as myiptables
> - Make it executable
> - Run /root/myiptables
> - Run /etc/init.d/iptables save active
> 
> And does it look ok?
> Thanks, Jacob
> 
> <script>
> #!/bin/sh
> 
> # Disable forwarding
> echo 0 > /proc/sys/net/ipv4/ip_forward
> 
> # load some modules (if needed)
> modprobe ip_nat_ftp
> modprobe ip_conntrack_ftp
> 
> # Flush
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t nat -F OUTPUT
> iptables -F
> 
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> 
> #localhost
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> 
> # Open ports on router for server/services
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 20
> iptables -A INPUT -s 1.2.3.4 -j ACCEPT -p tcp --dport 21
> iptables -A INPUT -j ACCEPT -p tcp --dport 22
> iptables -A INPUT -j ACCEPT -p tcp --dport 25
> iptables -A INPUT -j ACCEPT -p tcp --dport 80
> iptables -A INPUT -j ACCEPT -p tcp --dport 143
> iptables -A INPUT -j ACCEPT -p tcp --dport 993
> 
> # STATE RELATED for router
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> </script>

__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

Reply to:

Follow-Ups:
- Re: How to work with my iptables script
  - From: Jacob Friis Larsen <jfl@list.idg.dk>

References:
- How to work with my iptables script
  - From: Jacob Friis Larsen <jfl@list.idg.dk>

Prev by Date: Re: All these open ports
Next by Date: Re: All these open ports
Previous by thread: Re: How to work with my iptables script
Next by thread: Re: How to work with my iptables script
Index(es):
- Date
- Thread