Hi
I have a problem with my IPTABLES script
It doesn’t allow PASV mode in FTP
I do not understand why as all Output are accepted and all input with a Established, related state are also accepted
so for me all request on port 20 for data request and on port > 1024 for pasv mode shoub be allowes by iptables
Any idea ?
What am I doing wrong ?
Here is the script
#!/bin/bash
set -e
Caution! Once this firewall is active,
changes will almost certainly require a reboot,
or at least console (the network will be unavailable).
Load IRC & FTP modules for use behind a NAT. Usually not necessary.
/sbin/modprobe ip_conntrack_ftp
Flush rules
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z
rp_filter
for f in /proc/sys/net/ipv4/conf/*; do
echo 1 > $f/rp_filter
echo 0 > $f/accept_source_route
echo 0 > $f/accept_redirects
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 0 > /proc/sys/net/ipv4/ip_forward
Set chain defaults
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
Okay, the rules
Rejects go here
/sbin/iptables -N rej
/sbin/iptables -A rej -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A rej -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A rej -j DROP
Slow reject is our packet limiter.
/sbin/iptables -N slowrej
/sbin/iptables -A slowrej -m limit --limit 12/min --limit-burst 2 -j rej
/sbin/iptables -A slowrej -j DROP
UDP rules
/sbin/iptables -N pudp
/sbin/iptables -A pudp -p udp --dport 53 -j ACCEPT # DNS (udp)
/sbin/iptables -A pudp -p udp --dport 161 -j ACCEPT # SNMP (udp)
/sbin/iptables -A pudp -p udp --dport bootps:bootpc -j DROP
/sbin/iptables -A pudp -j slowrej
TCP rules
Enable services on an as-needed basis.
Template below includes most popular services.
Default rule (below) is to allow SSH and SNMP.
Everything else is your responsiblity.
/sbin/iptables -N ptcp
/sbin/iptables -A ptcp -p tcp --dport 161 -m state --state NEW -j ACCEPT #SNMP
/sbin/iptables -A ptcp -p tcp --dport 80 -m state --state NEW -j ACCEPT # HTTP
/sbin/iptables -A ptcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # HTTP
/sbin/iptables -A ptcp -p tcp --dport 20 -m state --state NEW -j ACCEPT # FTP
/sbin/iptables -A ptcp -p tcp --dport 21 -m state --state NEW -j ACCEPT # FTP
/sbin/iptables -A ptcp -p tcp --dport 22 -m state --state NEW -j ACCEPT # SSH
/sbin/iptables -A ptcp -p tcp --dport 2443 -m state --state NEW -j ACCEPT # Nodeworx
/sbin/iptables -A ptcp -p tcp --dport 2080 -m state --state NEW -j ACCEPT # Nodeworx
/sbin/iptables -A ptcp -p tcp --dport 25 -m state --state NEW -j ACCEPT # SMTP
/sbin/iptables -A ptcp -p tcp --dport 110 -m state --state NEW -j ACCEPT # POP3
/sbin/iptables -A ptcp -p tcp --dport 995 -m state --state NEW -j ACCEPT #POP3S
/sbin/iptables -A ptcp -p tcp --dport 143 -m state --state NEW -j ACCEPT #IMAP2
/sbin/iptables -A ptcp -p tcp --dport 993 -m state --state NEW -j ACCEPT #IMAPS
/sbin/iptables -A ptcp -p tcp --dport 3306 -m state --state NEW -j ACCEPT mysql
/sbin/iptables -A ptcp -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS (tcp)
/sbin/iptables -A ptcp -p tcp --dport 10000 -m state --state NEW -j ACCEPT # webmin (tcp)
/sbin/iptables -A ptcp -p tcp --dport 3333 -m state --state NEW -j ACCEPT # ntop (tcp)
/sbin/iptables -A ptcp -p tcp --dport 6667 -m state --state NEW -j ACCEPT # IRCD
/sbin/iptables -A ptcp -p tcp --dport 6668 -m state --state NEW -j ACCEPT # IRCD
/sbin/iptables -A ptcp -p tcp --dport 6999 -m state --state NEW -j ACCEPT # IRCD SERVICES
/sbin/iptables -A ptcp -p tcp --dport 7029 -m state --state NEW -j ACCEPT # IRCD SERVICES
/sbin/iptables -A ptcp -p tcp --dport 7000 -m state --state NEW -j ACCEPT # HUB IRCD
/sbin/iptables -A ptcp -j slowrej
ICMP rules
/sbin/iptables -N picmp
/sbin/iptables -A picmp -p icmp -m limit --limit 2/sec --limit-burst 2 --icmp-type echo-request -j ACCEPT
/sbin/iptables -A picmp -j DROP
INPUT chain: Anything over loopback, and anything found in the state matching
system is accepted.
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
If you have constant abusers, block them permanently by CIDR thus:
iptables -A INPUT -s 192.168.1.0/24 -j rej
For particularly abusive servers or brain-dead software that keeps trying
even with rej, try this instead:
iptables -A INPUT -s 192.168.1.0/24 -j DROP
/sbin/iptables -A INPUT -p udp -j pudp
/sbin/iptables -A INPUT -p tcp -j ptcp
/sbin/iptables -A INPUT -p icmp -j picmp
For the FTP rules I woudl write something like
#gestion du FTP
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
Is it correct ?
Thanks for your help
Pascal