[TCLUG] could use an iptable script

Sun Mar 17 09:42:00 CST 2002

On Sun, Mar 17, 2002 at 08:08:51AM -0500, Raymond Norton wrote:
> Here is the script I am trying to use. I couldn't see what to change.
> Everything I need works except for ftp. As mentioned I can connect with
> username and password, but cannot se any folders. Thanks for your help
> getting this to work.
> 
> 
> -- 
> Raymond Norton
> Little Crow Telemedia Network
> 2 Centry Av
> Hutchinson, MN.
> 320-234-0270
> 

I have looked at your script and am sending it back with a couple of
changes. A couple are minor issues that have nothing to do with the ftp
issue. Others I think will address that problem. I marked the sections I
changed with '# *****'

You had:
LAN_BCAST_ADRESS="192.168.255.255"
Sould be:
LAN_BCAST_ADRESS="192.168.0.255"

You had:
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
Should be:
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/24 -j DROP

(The above two changes are because you specified your IP address as
192.168.0.1 and your LAN as 192.168.0.0/24.)

Finally, the ftp issue:

FTP has two modes: active and passive. Active mode requires that you not
only allow ports 20 and 21 going out (which you do), but also allow
ports 20 and 21 coming in.

Passive mode requires port 21 coming in, and a non-privileged port
(>1024) coming in.

I added these lines to your script (but haven't tested - that's an
exercise for the reader):

# support active ftp
$IPTABLES -A tcp_packets -p TCP --sport 20:21 -j allowed
# support passive ftp
$IPTABLES -A tcp_packets -p TCP --sport 1024: --dport 1024: -j allowed

-- 
_______________________________________________
Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org
tclug-list at mn-linux.org
https://mailman.mn-linux.org/mailman/listinfo/tclug-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020317/92df78fa/attachment.pgp