Re: Confused on iptables and ftp..yes still...

To: William Jensen <jensenb@bodach.com>
Cc: debian-user@lists.debian.org
Subject: Re: Confused on iptables and ftp..yes still...
From: Phil Brutsche <pbrutsch@tux.creighton.edu>
Date: Tue, 3 Oct 2000 15:10:57 -0500 (CDT)
Message-id: <Pine.LNX.4.21.0010031457330.32434-100000@tux.creighton.edu>
In-reply-to: <20001003144029.A289@bodach.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> My iptable rule:
> 
> $IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 -j ACCEPT
> 
> I read this as any packed that is not a --syn type from source 20 on the ftp
> server i'm hooking up to, destined to my pc port 1024:65535 jumps to ACCEPT

Try taking out the "! --syn" and see what you get.

> here's a snip of my log files:
> 
> Oct  3 14:32:44 stimpy kernel: Firewall:IN=eth0 OUT= MAC=00:10:5a:15:35:f1:00:30
> :71:78:24:00:08:00 SRC=209.10.41.242 DST=24.216.244.106 LEN=60 TOS=0x00 PREC=0x0
> 0 TTL=54 ID=29441 DF PROTO=TCP SPT=20 DPT=32778 WINDOW=32120 RES=0x00 SYN URGP=0
> 
> And that's telling me that it's coming from port 20, it's tcp, and it's headed
> to my port 32778, which should jump to ACCEPT!  I simply cannot understand why
> the firewall is dropping those packets.  Allan was nice enough to point me to
> a web site talking about firewalls and ftp and I 'thought' I had the right 
> stuff being let thru.
> 
> Here's a twist...the exact same firewall rules were successfull when I was
> runnin woody, but now that I'm on a standard potato with 'iptables' added
> separately it's not working.

Part of the problem is that you're treating iptables like ipchains as if
they are the same; they are totally different packet filtering/mangling
mechanisms.

I see you're not using the super nifty connection tracking capabilities of
iptables.  Perhaps it'll help to see a working configuration:

$IPT -t nat -A POSTROUTING -o $OUTSIDE_IFACE -j MASQUERADE
$IPT -P FORWARD ACCEPT
$IPT -A INPUT -s localnet/24 -j ACCEPT
   
$IPT -A INPUT -s localhost -j ACCEPT
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

This is all you effectively need for a firewall that does internet
connection sharing.  These lines will block all new and invalid incoming
connections, but allow through services that need to connect to a port on
your computer, like IRC, web and FTP.

- -- 
- ----------------------------------------------------------------------
Phil Brutsche				    pbrutsch@tux.creighton.edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE52j1T/ZTSZFDeHPwRAtdKAJ9mpHkGjxUBoUz27HQMZTbp9frD9QCeN+Kp
9oksHocHIWODtbbDey5ld6Q=
=7UVf
-----END PGP SIGNATURE-----

Reply to:

References:
- Confused on iptables and ftp..yes still...
  - From: William Jensen <jensenb@bodach.com>

Prev by Date: Re: partitions and lilo
Next by Date: Re: How to set Xserver resolution
Previous by thread: Confused on iptables and ftp..yes still...
Next by thread: pty for Linux
Index(es):
- Date
- Thread