[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ftp dietro firewall

buongiorno a tutti,
ho un problema che credo sia comune a molti e piu' precisamente devo 
aggiornare periodicametne via ftp un server antivirus, fin qui niente di 
strano, il problema e' che il client ftp della suite antivirus ovviamente 
lavora in attivo e non si puo' passarlo a passivo, e che altrettanto 
oovviamente la macchina in questione e' dietro firewall.
la macchina ha ip 192.168.2.1
e di seguito c'e' lo script che ho fatto scopiazzando a destra e a sinistra 
non riesco a capire a capire per quale motivo pur avendo imposto la 
condizione 
 -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
l'ftp non funzioni qualcuno  mi puo' per cortesia aiutare?
grazie mille in anticipo 



#!/bin/sh

###debugging###
set -x

####flushing chains####
iptables -F
iptables -F -t nat
iptables -X
iptables -Z

### default chain###
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT

### setting ipforwarding####
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

###disable respond to broadcast###
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcast

###enable bad error message protection ###
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

### disable icmp redirect acceptance ###
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

### setting antispoofing protection ###
/bin/echo/ "1" > /proc/sys/net/ipv4/conf/all/rp_filter

### don't respond to broadcast pings ###
/bin/echo "1" /proc/sys/net/ipv4/conf/all/log_martians

# external interface
EXTIF="eth0"

#internal interface
INTIF="eth1"

#host public IP
EGO="xxx.xxx.xxx.xxx"

#internal lan IP
LANIN="192.168.2.0/24"

#traceroute ports
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"


# DNS servers
DNS1="xxx.xxx.xxx.xxx"
DNS2="xxx.xxx.xxx.x"
DNS3="xxx.xxx.xxx.x"

#RFC IPs
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/16"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"




#### RULE ######################################################
#SPOOFING#
/sbin/iptables -A INPUT -i $EXTIF -s $EGO -j DROP
/sbin/iptables -A INPUT -i $EXTIF -s $CLASS_A -j DROP
/sbin/iptables -A INPUT -i $EXTIF -s $CLASS_B -j DROP
/sbin/iptables -A INPUT -i $EXTIF -s $CLASS_C -j DROP
/sbin/iptables -A INPUT -i $EXTIF -s $CLASS_D_MULTICAST -j DROP
/sbin/iptables -A INPUT -i $EXTIF -s $CLASS_E_RESERVED_NET -j DROP
/sbin/iptables -A INPUT -i $EXTIF -d $LOOPBACK -j DROP

#### LOOP RULE#########################################
/sbin/iptables -A INPUT -s $LOOPBACK -j ACCEPT
/sbin/iptables -A OUTPUT -d $LOOPBACK -j ACCEPT

#### TRACEROUTE ########################################
/sbin/iptables -A OUTPUT -o $EXTIF -p udp --sport $TR_SRC_PORTS --dport 
$TR_DEST_PORTS \
 -m state --state NEW -j ACCEPT

#### LAN IN OUT ########################################
/sbin/iptables -A INPUT -i $INTIF -s $LANIN -j ACCEPT
/sbin/iptables -A OUTPUT -o $INTIF -d $LANIN -j ACCEPT
/sbin/iptables -A FORWARD -s $LANIN -d 0/0 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -d $LANIN -p tcp --syn -j DROP
/sbin/iptables -A FORWARD -s 0/0 -d $LANIN -j ACCEPT

###SERVICES##############################################
#DNS
/sbin/iptables -A INPUT -i $EXTIF -p udp -s $DNS1 --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTIF -p udp -s $DNS2 --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $EXTIF -p udp -s $DNS3 --sport 53 -j ACCEPT

#SSH
/sbin/iptables -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT


#### RULE ###############################################
/sbin/iptables -A INPUT -p tcp -m state --state ESTABLISHED  -j  ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i $EXTIF -p udp -m state --state ESTABLISHED -j 
ACCEPT
/sbin/iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j 
ACCEPT
/sbin/iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state 
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
### POSTROUTING CHAIN####################################
/sbin/iptables -t nat -A POSTROUTING -o $EXTIF -s $LANIN -j MASQUERADE

### LOGGING #############################################

/sbin/iptables -A INPUT -j LOG --log-prefix "DENY INPUT:"
/sbin/iptables -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
/sbin/iptables -A FORWARD -j LOG --log-prefix ""DENY FW:"
/sbin/iptables -A OUTPUT -j --log-prefix "DENY OUT:"
/sbin/iptables -A FORWARD -j LOG

-- 
Mario Vittorio Guenzi
Zincometal S.p.A.
c.so Europa Str.prov 34
20010-Inveruno (MI)
tel: 02-979661
fax: 02-97966351
E-mail:edp@zincometal.com
http://www.zincometal.com
Si vis pacem, para bellum

844B 6FAA 1B98 94EF 84F1  FD21 E1FD 8598 ADBA 3893
Reply to: