Re: Confused on iptables and ftp..yes still...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
> My iptable rule:
>
> $IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 -j ACCEPT
>
> I read this as any packed that is not a --syn type from source 20 on the ftp
> server i'm hooking up to, destined to my pc port 1024:65535 jumps to ACCEPT
Try taking out the "! --syn" and see what you get.
> here's a snip of my log files:
>
> Oct 3 14:32:44 stimpy kernel: Firewall:IN=eth0 OUT= MAC=00:10:5a:15:35:f1:00:30
> :71:78:24:00:08:00 SRC=209.10.41.242 DST=24.216.244.106 LEN=60 TOS=0x00 PREC=0x0
> 0 TTL=54 ID=29441 DF PROTO=TCP SPT=20 DPT=32778 WINDOW=32120 RES=0x00 SYN URGP=0
>
> And that's telling me that it's coming from port 20, it's tcp, and it's headed
> to my port 32778, which should jump to ACCEPT! I simply cannot understand why
> the firewall is dropping those packets. Allan was nice enough to point me to
> a web site talking about firewalls and ftp and I 'thought' I had the right
> stuff being let thru.
>
> Here's a twist...the exact same firewall rules were successfull when I was
> runnin woody, but now that I'm on a standard potato with 'iptables' added
> separately it's not working.
Part of the problem is that you're treating iptables like ipchains as if
they are the same; they are totally different packet filtering/mangling
mechanisms.
I see you're not using the super nifty connection tracking capabilities of
iptables. Perhaps it'll help to see a working configuration:
$IPT -t nat -A POSTROUTING -o $OUTSIDE_IFACE -j MASQUERADE
$IPT -P FORWARD ACCEPT
$IPT -A INPUT -s localnet/24 -j ACCEPT
$IPT -A INPUT -s localhost -j ACCEPT
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
This is all you effectively need for a firewall that does internet
connection sharing. These lines will block all new and invalid incoming
connections, but allow through services that need to connect to a port on
your computer, like IRC, web and FTP.
- --
- ----------------------------------------------------------------------
Phil Brutsche pbrutsch@tux.creighton.edu
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE52j1T/ZTSZFDeHPwRAtdKAJ9mpHkGjxUBoUz27HQMZTbp9frD9QCeN+Kp
9oksHocHIWODtbbDey5ld6Q=
=7UVf
-----END PGP SIGNATURE-----
Reply to: