Iptables

Hi

I have a problem with my IPTABLES script

It doesn’t allow PASV mode in FTP

I do not understand why as all Output are accepted and all input with a Established, related state are also accepted

so for me all request on port 20 for data request and on port > 1024 for pasv mode shoub be allowes by iptables

Any idea ?
What am I doing wrong ?

Here is the script

#!/bin/bash
set -e

Caution! Once this firewall is active,

changes will almost certainly require a reboot,

or at least console (the network will be unavailable).

Load IRC & FTP modules for use behind a NAT. Usually not necessary.

/sbin/modprobe ip_conntrack_ftp

Flush rules

/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -t mangle -Z

rp_filter

for f in /proc/sys/net/ipv4/conf/*; do
echo 1 > $f/rp_filter
echo 0 > $f/accept_source_route
echo 0 > $f/accept_redirects
done
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo 0 > /proc/sys/net/ipv4/ip_forward

Set chain defaults

/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

Okay, the rules

Rejects go here

/sbin/iptables -N rej
/sbin/iptables -A rej -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A rej -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A rej -j DROP

Slow reject is our packet limiter.

/sbin/iptables -N slowrej
/sbin/iptables -A slowrej -m limit --limit 12/min --limit-burst 2 -j rej
/sbin/iptables -A slowrej -j DROP

UDP rules

/sbin/iptables -N pudp
/sbin/iptables -A pudp -p udp --dport 53 -j ACCEPT # DNS (udp)
/sbin/iptables -A pudp -p udp --dport 161 -j ACCEPT # SNMP (udp)

/sbin/iptables -A pudp -p udp --dport bootps:bootpc -j DROP
/sbin/iptables -A pudp -j slowrej

TCP rules

Enable services on an as-needed basis.

Template below includes most popular services.

Default rule (below) is to allow SSH and SNMP.

Everything else is your responsiblity.

/sbin/iptables -N ptcp

/sbin/iptables -A ptcp -p tcp --dport 161 -m state --state NEW -j ACCEPT #SNMP
/sbin/iptables -A ptcp -p tcp --dport 80 -m state --state NEW -j ACCEPT # HTTP
/sbin/iptables -A ptcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # HTTP
/sbin/iptables -A ptcp -p tcp --dport 20 -m state --state NEW -j ACCEPT # FTP
/sbin/iptables -A ptcp -p tcp --dport 21 -m state --state NEW -j ACCEPT # FTP
/sbin/iptables -A ptcp -p tcp --dport 22 -m state --state NEW -j ACCEPT # SSH
/sbin/iptables -A ptcp -p tcp --dport 2443 -m state --state NEW -j ACCEPT # Nodeworx
/sbin/iptables -A ptcp -p tcp --dport 2080 -m state --state NEW -j ACCEPT # Nodeworx
/sbin/iptables -A ptcp -p tcp --dport 25 -m state --state NEW -j ACCEPT # SMTP
/sbin/iptables -A ptcp -p tcp --dport 110 -m state --state NEW -j ACCEPT # POP3
/sbin/iptables -A ptcp -p tcp --dport 995 -m state --state NEW -j ACCEPT #POP3S
/sbin/iptables -A ptcp -p tcp --dport 143 -m state --state NEW -j ACCEPT #IMAP2
/sbin/iptables -A ptcp -p tcp --dport 993 -m state --state NEW -j ACCEPT #IMAPS
/sbin/iptables -A ptcp -p tcp --dport 3306 -m state --state NEW -j ACCEPT mysql
/sbin/iptables -A ptcp -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS (tcp)
/sbin/iptables -A ptcp -p tcp --dport 10000 -m state --state NEW -j ACCEPT # webmin (tcp)
/sbin/iptables -A ptcp -p tcp --dport 3333 -m state --state NEW -j ACCEPT # ntop (tcp)
/sbin/iptables -A ptcp -p tcp --dport 6667 -m state --state NEW -j ACCEPT # IRCD
/sbin/iptables -A ptcp -p tcp --dport 6668 -m state --state NEW -j ACCEPT # IRCD
/sbin/iptables -A ptcp -p tcp --dport 6999 -m state --state NEW -j ACCEPT # IRCD SERVICES
/sbin/iptables -A ptcp -p tcp --dport 7029 -m state --state NEW -j ACCEPT # IRCD SERVICES
/sbin/iptables -A ptcp -p tcp --dport 7000 -m state --state NEW -j ACCEPT # HUB IRCD

/sbin/iptables -A ptcp -j slowrej

ICMP rules

/sbin/iptables -N picmp
/sbin/iptables -A picmp -p icmp -m limit --limit 2/sec --limit-burst 2 --icmp-type echo-request -j ACCEPT
/sbin/iptables -A picmp -j DROP

INPUT chain: Anything over loopback, and anything found in the state matching

system is accepted.

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If you have constant abusers, block them permanently by CIDR thus:

iptables -A INPUT -s 192.168.1.0/24 -j rej

For particularly abusive servers or brain-dead software that keeps trying

even with rej, try this instead:

iptables -A INPUT -s 192.168.1.0/24 -j DROP
/sbin/iptables -A INPUT -p udp -j pudp
/sbin/iptables -A INPUT -p tcp -j ptcp
/sbin/iptables -A INPUT -p icmp -j picmp

For the FTP rules I woudl write something like


#gestion du FTP
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT 

Is it correct ?

Thanks for your help
Pascal

Hello

I always have a pbm with my iptables script.
I have changed the previous one to this one but now when I call it I lost my connection

Here is my script


#!/bin/bash 
set -e 

iptables=/sbin/iptables

# Caution! Once this firewall is active, 
# changes will almost certainly require a reboot, 
# or at least console (the network will be unavailable). 

# Load IRC & FTP modules for use behind a NAT. Usually not necessary. 
/sbin/modprobe ip_conntrack_ftp 

# Flush rules 
$iptables -F 
$iptables -X 
$iptables -Z 
$iptables -t mangle -F 
$iptables -t mangle -X 
$iptables -t mangle -Z 

# rp_filter 
for f in /proc/sys/net/ipv4/conf/*; do 
echo 1 > $f/rp_filter 
echo 0 > $f/accept_source_route 
echo 0 > $f/accept_redirects 
done 
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all 
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 
echo 0 > /proc/sys/net/ipv4/tcp_ecn 
echo 0 > /proc/sys/net/ipv4/ip_forward 

# Set chain defaults 
$iptables -P INPUT DROP 
$iptables -P FORWARD DROP 
$iptables -P OUTPUT ACCEPT 

## Okay, the rules 

# logs - drop
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP

# logs - accept
iptables -N LOG_ACCEPT 
iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' 
iptables -A LOG_ACCEPT -j ACCEPT 

# Rejects go here 
$iptables -N rej 
$iptables -A rej -p udp -j REJECT --reject-with icmp-port-unreachable 
$iptables -A rej -p tcp -j REJECT --reject-with tcp-reset 
$iptables -A rej -j DROP 

# Slow reject is our packet limiter. 
$iptables -N slowrej 
$iptables -A slowrej -m limit --limit 12/min --limit-burst 2 -j rej 
$iptables -A slowrej -j DROP 

## UDP rules 
$iptables -N pudp 
$iptables -A pudp -p udp --dport 53 -j ACCEPT # DNS (udp) 
$iptables -A pudp -p udp --dport 161 -j ACCEPT # SNMP (udp) 

$iptables -A pudp -p udp --dport bootps:bootpc -j DROP 
$iptables -A pudp -j slowrej 

## TCP rules 

# Enable services on an as-needed basis. 
# Template below includes most popular services. 
# Default rule (below) is to allow SSH and SNMP. 
# Everything else is your responsiblity. 


$iptables -N ptcp 

# INPUT chain: Anything over loopback, and anything found in the state matching 
# system is accepted. 
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
$iptables -A INPUT -i lo -j ACCEPT 

#gestion du FTP
iptables -A ptcp -p tcp --sport 21 -m state --state ESTABLISHED -j LOG_ACCEPT 
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j LOG_ACCEPT 
iptables -A ptcp -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
iptables -A ptcp -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT 

#Autres r?gles
$iptables -A ptcp -p tcp --dport 161 -m state --state NEW -j ACCEPT #SNMP 
$iptables -A ptcp -p tcp --dport 80 -m state --state NEW -j ACCEPT # HTTP 
$iptables -A ptcp -p tcp --dport 443 -m state --state NEW -j ACCEPT # HTTPS 
$iptables -A ptcp -p tcp --dport 22 -m state --state NEW -j LOG_ACCEPT  # SSH 
$iptables -A ptcp -p tcp --dport 2443 -m state --state NEW -j ACCEPT # Nodeworx 
$iptables -A ptcp -p tcp --dport 2080 -m state --state NEW -j ACCEPT # Nodeworx 
$iptables -A ptcp -p tcp --dport 25 -m state --state NEW -j ACCEPT # SMTP 
$iptables -A ptcp -p tcp --dport 110 -m state --state NEW -j ACCEPT # POP3
$iptables -A ptcp -p tcp --dport 995 -m state --state NEW -j ACCEPT #POP3S
$iptables -A ptcp -p tcp --dport 143 -m state --state NEW -j ACCEPT #IMAP2
$iptables -A ptcp -p tcp --dport 993 -m state --state NEW -j ACCEPT #IMAPS
$iptables -A ptcp -p tcp --dport 3306 -m state --state NEW -j ACCEPT #MySQL
$iptables -A ptcp -p tcp --dport 53 -m state --state NEW -j ACCEPT # DNS (tcp) 
$iptables -A ptcp -p tcp --dport 10000 -m state --state NEW -j LOG_ACCEPT  # webmin (tcp) 
$iptables -A ptcp -p tcp --dport 3333 -m state --state NEW -j LOG_ACCEPT  # ntop (tcp)
$iptables -A ptcp -p tcp --dport 6667:6668 -m state --state NEW -j ACCEPT  # IRCD
$iptables -A ptcp -p tcp --dport 6999 -m state --state NEW -j ACCEPT # IRCD SERVICES
$iptables -A ptcp -p tcp --dport 7029 -m state --state NEW -j ACCEPT # IRCD SERVICES
$iptables -A ptcp -p tcp --dport 7000 -m state --state NEW -j ACCEPT # HUB IRCD

$iptables -A ptcp -j slowrej 

## ICMP rules 
$iptables -N picmp 
$iptables -A picmp -p icmp -m limit --limit 2/sec --limit-burst 2 --icmp-type echo-request -j ACCEPT 
$iptables -A picmp -j DROP 

# If you have constant abusers, block them permanently by CIDR thus: 
# iptables -A INPUT -s 192.168.1.0/24 -j rej 
# 
# For particularly abusive servers or brain-dead software that keeps trying 
# even with rej, try this instead: 
#iptables -A INPUT -s 192.168.1.0/24 -j DROP 

$iptables -A INPUT -p udp -j pudp 
$iptables -A INPUT -p tcp -j ptcp 
$iptables -A INPUT -p icmp -j picmp 

#logs all denies
$iptables -A INPUT -j LOG_DROP 
$iptables -A OUTPUT -j LOG_DROP 
$iptables -A FOWARD -j LOG_DROP 

I try to define rules for PASV mod ftp and to log some rejected rules (where could I see this log)

I think I’m not really coherent between the last lines


$iptables -A INPUT -p udp -j pudp 
$iptables -A INPUT -p tcp -j ptcp 
$iptables -A INPUT -p icmp -j picmp 

#logs all denies
$iptables -A INPUT -j LOG_DROP 
$iptables -A OUTPUT -j LOG_DROP 
$iptables -A FOWARD -j LOG_DROP 

Thanks for ytour help
Pascal

I was thinking that maybe I should not post this request in this forum.

I know that iworx team doesn’t support Iptables as it isn’t a iworx-cp tools.

But maybe somebody in the iworx community would help me.

AnyWay If you think this post should not be here, then, be pleased to delete it (I’ll understand, yep sure, even if I really need help :-p )

Thanks

Pascal

We don’t (yet) pascal but feel free to post any/all questions regarding your server here. Btw, I did setup a box using APF last week and it may have a simple PASV FTP setup but I didn’t test it. The setup is farily easy and the software is at:

http://www.rfxnetworks.com/apf.php

Chris

Ouahou !!!

It’s the best script I never seen.

Very simply to configure, robust, possible to change rule by IP, very easy, I like it.

And it works great with FTP (find in the script)


# FTP
$IPT -A INPUT -i $IN_IF -p tcp --sport 1023:65535 --dport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $IN_IF -p tcp -m multiport --dport 21,20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $IN_IF -p udp -m multiport --dport 21,20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $OUT_IF -p tcp --dport 1023:65535 --sport 21 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $OUT_IF -p tcp -m multiport --dport 21,20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $OUT_IF -p udp -m multiport --dport 21,20 -m state --state ESTABLISHED,RELATED -j ACCEPT

I’ll recommand it to everybody

A big thank you to you Chris.

I searched so long to find what yu give me in 3 lines

:smiley: :stuck_out_tongue: :slight_smile:

Pascal