#1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2002
    Location
    Harrisburg 17102
    Posts
    6
    Rep Power
    0

    Question need help with Linux firewall (ipchains)


    Help...

    I can't get ipchains to work on a local network.

    It works. Just too good. The problem is that I'm running ProFTPD on a 10.40.100.10 address (intranet). This runs my staging HTTP server (Apache).

    Locally I can connect fine. However, connecting from a machine on the same subnet, i.e. 10.40.100.20, fails. I have tried a number of configurations... including using tools like:

    pmfirewall
    http://www.linux-firewall-tools.com/linux/firewall/ (a web tool)
    and refering to the ipchains HOWTO.

    Outside of opening the firewall completely... nothing allows FTP connections. Yes, I have opened the ports for ftp and ftp-data. but the connections fail every time! Very frustrating. Even PASSIVE connections fail.

    Help.
    Tim
  2. #2
  3. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2002
    Location
    Harrisburg 17102
    Posts
    6
    Rep Power
    0

    The firewall... for review...


    To anyone that can help...

    Attached is my firewall script. Edited to protect the innocent... no addresses in other words.

    Essentially, can anyone tell me what is happening to prevent FTP (active|passive) and HTTP connections? For example:

    10.40.100.20 (windoze) cannot connect for ftp|http running on 10.40.100.10 (RHL 7.2).

    I'm guessing that it is the order that the chains are being loaded.

    Also... note that I have commented out line 84. This file does not seem to exist on RHL 7.2 (Engima). However, the files:

    ipfrag_thresh_high
    ipfrag_thresh_low

    do. How are they used? Do they replace ip_always_defrag?

    THANKS in advance...
    Attached Files
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2002
    Location
    Harrisburg 17102
    Posts
    6
    Rep Power
    0

    Update...


    To anyone following this thread... I like to keep readers updated...

    I'm trying out a script called Mason. The idea of Mason is to "learn" the firewalling requirements of the machine you're running it on.

    I'll keep the thread updated.

    Tim
  6. #4
  7. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2001
    Location
    Toronto, Canada
    Posts
    22
    Rep Power
    0
    Hi Gefahrmaus,
    I'm hving the same problem for my php ftp_get(). connection fail once my ipchains is up. Please let me know if u got it fixed. Thanks. This is my ipchains table.

    :input ACCEPT
    :forward ACCEPT
    utput ACCEPT
    -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
    -A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT
    -A input -s 0/0 -d 0/0 89 -p tcp -y -j ACCEPT
    -A input -s 0/0 -d 0/0 444 -p tcp -y -j ACCEPT
    -A input -s 207.35.158.1/24 -d 0/0 22 -p tcp -y -j ACCEPT
    -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
    -A input -s 198.235.216.131 53 -d 0/0 -p udp -j ACCEPT
    -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
    -A input -s 0/0 -d 0/0 -p udp -j REJECT
  8. #5
  9. Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2003
    Posts
    28
    Rep Power
    0

    Talking


    Hey ,

    Just check this. A info that may help you.

    # Snippet from "rc.firewall"
    #
    # Derived from Robert Ziegler, "Linux Firewalls".
    #


    EXTERNAL_INTERFACE="<Internet-Connected-Interface>"
    IPADDR="<Your-IP-Address>"
    UNPRIVPORTS="1024:65535"
    ANYWHERE="any/0"
    INTERNAL_NET="192.168.x.y/24"


    #
    # Required Module.
    #
    modprobe ip_masq_ftp


    #
    # Masquerade Internal Traffic.
    #
    ipchains -A forward -i $EXTERNAL_INTERFACE -s $INTERNAL_NET -j MASQ


    :
    :


    #####
    #
    # Enable FTP Client.
    #
    #####


    #
    # Allow Local Client Requests.
    #
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR $UNPRIVPORTS \
    -d $ANYWHERE 21 -j ACCEPT


    #
    # Allow Remote Server Responses to Local Client Requests.
    #
    ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
    -s $ANYWHERE 21 \
    -d $IPADDR $UNPRIVPORTS -j ACCEPT


    #-


    #
    # Allow Remote Server Initiated Normal Port Mode FTP Data Channels.
    #
    ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
    -s $ANYWHERE 20 \
    -d $IPADDR $UNPRIVPORTS -j ACCEPT


    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
    -s $IPADDR $UNPRIVPORTS \
    -d $ANYWHERE 20 -j ACCEPT


    #-


    #
    # Allow Local Client Initiated Passive Port Mode FTP Data Channels.
    #
    ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
    -s $IPADDR $UNPRIVPORTS \
    -d $ANYWHERE $UNPRIVPORTS -j ACCEPT


    ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
    -s $ANYWHERE $UNPRIVPORTS \
    -d $IPADDR $UNPRIVPORTS -j ACCEPT




    End - Enable FTP Client.
  10. #6
  11. Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2003
    Posts
    28
    Rep Power
    0
    Dear vizeta,

    Please add this

    sbin/ipchains -A forward -p tcp -s 192.168.0.0/23 --dport ftp-data -j MASQ
    /sbin/ipchains -A forward -p tcp -s 192.168.0.0/23 --dport ftp -j MASQ

    hope it works for you

    ranjith

IMN logo majestic logo threadwatch logo seochat tools logo