From: Dave M. <de...@st...> - 2004-12-16 14:04:14
|
Found it! insmod ip_nat_ftp . That was what was stopping our transmissions. The module wasn't loading into the kernel. Dave ---------- Original Message ----------- From: Alex Prinsier <ap...@ap...> To: dev...@li... Sent: Thu, 16 Dec 2004 14:15:29 +0100 Subject: Re: [Devil-Linux-discuss] Iptables Firewall Woes - ftp not being passed. > Without needing to study your rules, my first guess would be you are > blocking the ftp-data port (standard is port 20). You need that open > both inbound and outbound. > > Hope it helps, > Alex > > Dave Mullen wrote: > > >Hey guys, > > > >I've run into a problem. I have built a custom devil cd based off of 1.2 > >(with your help!) and brought along my company's firewall rules from our old > >RH 8 based firewall. Now, after 3 or so attempts with outages, etc. we got it > >running great, minus ftp. > > > >For some reason, our ftp will allow us to go out, and connect, but we cannot > >do an ls to get a directory listing in any mode, including passive. > > > >So, I hoped maybe someone out there with a bit more experience with IPtables > >could tell me what I'm missing! > > > >I'll attach it as a text as well as paste it in here. > > > >Help help! > > > >Thanks in advance, > > > >Dave Mullen > > > >=-=-=- our firewall mess! =-=-=- > >*nat > >:PREROUTING ACCEPT [2254:147408] > >:POSTROUTING ACCEPT [15:1961] > >:OUTPUT ACCEPT [45:3761] > >:NLOGNDROP - [0:0] > >:NCORPORATEFILTER - [0:0] > >:NATIT - [0:0] > >:VPNFILTER - [0:0] > >:FILE - [0:0] > >:FULL - [0:0] > >:MAIL - [0:0] > >-A PREROUTING -i eth3 -j VPNFILTER > >-A PREROUTING -p tcp -m tcp --dport 137 -j DROP > >-A PREROUTING -p tcp -m tcp --dport 138 -j DROP > >-A PREROUTING -p tcp -m tcp --dport 139 -j DROP > >-A PREROUTING -p udp -m udp --dport 137 -j DROP > >-A PREROUTING -p udp -m udp --dport 138 -j DROP > >-A PREROUTING -p udp -m udp --dport 139 -j DROP > >-A PREROUTING -i eth0 -j NCORPORATEFILTER > >-A PREROUTING -i eth2 -j ACCEPT > >-A PREROUTING -j NLOGNDROP > >-A POSTROUTING -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options > >-A POSTROUTING -o eth3 -j ACCEPT > >-A POSTROUTING -o eth2 -j ACCEPT > >-A POSTROUTING -o eth1 -j NATIT > >-A NLOGNDROP -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options > >-A NLOGNDROP -j DROP > >-A NCORPORATEFILTER -o eth3 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 443:444 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 20:23 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 4403 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 1433 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 389 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 488 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 7741 -j ACCEPT > >-A NCORPORATEFILTER -i eth0 -p tcp -m tcp --dport 8013 -j ACCEPT > >-A NCORPORATEFILTER -s 10.148.10.7 -d 123.456.789.196 -i eth0 -p tcp -m tcp > >--dport 25 -j ACCEPT > >-A NCORPORATEFILTER -s 10.148.10.7 -d 123.456.789.197 -i eth0 -p tcp -m tcp > >--dport 25 -j ACCEPT > >-A NCORPORATEFILTER -s 192.168.251.24 -i eth0 -p tcp -m tcp --dport 7070 -j ACCEPT > >-A NCORPORATEFILTER -s 192.168.251.24 -i eth0 -p tcp -m tcp --dport 1090 -j ACCEPT > >-A NCORPORATEFILTER -s 192.168.251.24 -i eth0 -p tcp -m tcp --dport 554 -j ACCEPT > >-A NCORPORATEFILTER -s 192.168.251.30 -i eth0 -p tcp -m tcp --dport 7070 -j ACCEPT > >-A NCORPORATEFILTER -s 192.168.251.30 -i eth0 -p tcp -m tcp --dport 1090 -j ACCEPT > >-A NCORPORATEFILTER -s 192.168.251.30 -i eth0 -p tcp -m tcp --dport 554 -j ACCEPT > >-A NCORPORATEFILTER -s 192.168.249.39 -i eth0 -p tcp -m tcp --dport 7070 -j ACCEPT > >-A NCORPORATEFILTER -s 192.168.249.39 -i eth0 -p tcp -m tcp --dport 1090 -j ACCEPT > >-A NCORPORATEFILTER -s 192.168.249.39 -i eth0 -p tcp -m tcp --dport 554 -j ACCEPT > >-A NCORPORATEFILTER -s 10.148.210.148 -i eth0 -p tcp -m tcp --dport 7070 -j ACCEPT > >-A NCORPORATEFILTER -s 10.148.210.148 -i eth0 -p tcp -m tcp --dport 1090 -j ACCEPT > >-A NCORPORATEFILTER -s 10.148.210.148 -i eth0 -p tcp -m tcp --dport 554 -j ACCEPT > >-A NCORPORATEFILTER -s 10.148.254.44 -i eth0 -d 123.456.789.7 -p tcp -m tcp > >--dport 774 -j ACCEPT > >-A NCORPORATEFILTER -s 10.148.254.44 -i eth0 -d 123.456.789.3 -p tcp -m tcp > >--dport 774 -j ACCEPT > >-A NATIT -j SNAT --to-source 123.456.789.11 > >-A VPNFILTER -o eth1 -j NLOGNDROP > >-A VPNFILTER -d 10.148.10.64 -i eth3 -j NLOGNDROP > >-A VPNFILTER -d 10.148.10.62 -i eth3 -j NLOGNDROP > >-A VPNFILTER -d 10.148.10.63 -i eth3 -j NLOGNDROP > >-A VPNFILTER -d 10.148.220.58 -i eth3 -j NLOGNDROP > >-A VPNFILTER -d 10.148.10.59 -i eth3 -j NLOGNDROP > >-A VPNFILTER -d 10.148.10.58 -i eth3 -j NLOGNDROP > >-A VPNFILTER -s 10.7.0.0/16 -d 192.168.248.197 -i eth3 -j ACCEPT > >-A VPNFILTER -s 10.7.0.0/16 -d 10.148.10.208 -i eth3 -j ACCEPT > >-A VPNFILTER -s 10.7.0.0/16 -d 10.148.10.12 -i eth3 -j ACCEPT > >-A VPNFILTER -s 10.7.0.0/16 -d 10.148.10.80 -i eth3 -j ACCEPT > >-A VPNFILTER -s 10.7.0.0/16 -i eth3 -d 10.148.0.0/16 -p tcp -m tcp --dport 80 > >-j ACCEPT > >-A VPNFILTER -s 10.7.0.0/16 -i eth3 -d 10.148.0.0/16 -p tcp -m tcp --dport 443 > >-j ACCEPT > >-A VPNFILTER -s 10.7.1.0/24 -i eth3 -j FULL > >-A VPNFILTER -s 10.7.2.0/24 -i eth3 -j FILE > >-A VPNFILTER -s 10.7.3.0/24 -i eth3 -j MAIL > >-A VPNFILTER -j NLOGNDROP > >-A FULL -s 10.7.1.0/24 -d 10.148.0.0/16 -i eth3 -j ACCEPT > >-A FULL -s 10.7.1.0/24 -d 192.168.0.0/16 -i eth3 -j ACCEPT > >-A FULL -j NLOGNDROP > >-A FILE -s 10.7.2.0/24 -d 10.148.0.0/16 -i eth3 -p tcp -m tcp --dport 137:139 > >-jACCEPT > >-A FILE -s 10.7.2.0/24 -d 10.148.0.0/16 -i eth3 -p udp -m udp --dport 137:139 > >-jACCEPT > >-A FILE -s 10.7.2.0/24 -d 10.148.0.0/16 -i eth3 -p tcp -m tcp --dport 21 -j ACCEPT > >-A FILE -s 10.7.2.0/24 -d 10.148.0.0/16 -i eth3 -p tcp -m tcp --dport 515 -j > >ACCEPT > >-A FILE -s 10.7.2.0/24 -d 192.168.0.0/16 -i eth3 -p tcp -m tcp --dport 137:139 > >-j ACCEPT > >-A FILE -s 10.7.2.0/24 -d 192.168.0.0/16 -i eth3 -p udp -m udp --dport 137:139 > >-j ACCEPT > >-A FILE -s 10.7.2.0/24 -d 192.168.0.0/16 -i eth3 -p tcp -m tcp --dport 21 -j > >ACCEPT > >-A FILE -s 10.7.2.0/24 -d 10.148.0.0/16 -i eth3 -p tcp -m tcp --dport 515 -j > >ACCEPT > >-A FILE -s 10.7.2.0/24 -d 192.168.0.0/16 -i eth3 -p tcp -m tcp --dport 137:139 > >-j ACCEPT > >-A FILE -s 10.7.2.0/24 -d 192.168.0.0/16 -i eth3 -p udp -m udp --dport 137:139 > >-j ACCEPT > >-A FILE -s 10.7.2.0/24 -d 192.168.0.0/16 -i eth3 -p tcp -m tcp --dport 21 -j > >ACCEPT > >-A FILE -s 10.7.2.0/24 -d 192.168.0.0/16 -i eth3 -p tcp -m tcp --dport 515 -j > >ACCEPT > >-A FILE -j NLOGNDROP > >-A MAIL -j NLOGNDROP > >COMMIT > ># Completed on Wed May 7 06:56:00 2003 > ># Generated by iptables-save v1.2.6a on Wed May 7 06:56:00 2003 > >*filter > >:INPUT DROP [0:0] > >:FORWARD ACCEPT [0:0] > >:OUTPUT ACCEPT [65:8739] > >:LOGNDROP - [0:0] > >:POSTROUTING - [0:0] > >:STATEFUL - [0:0] > >:CORPORATEFILTER - [0:0] > >-A INPUT -i lo -j ACCEPT > >-A INPUT -i eth2 -j ACCEPT > >-A INPUT -p tcp -m tcp --dport 137 -j DROP > >-A INPUT -p tcp -m tcp --dport 138 -j DROP > >-A INPUT -p tcp -m tcp --dport 139 -j DROP > >-A INPUT -p udp -m udp --dport 137 -j DROP > >-A INPUT -p udp -m udp --dport 138 -j DROP > >-A INPUT -p udp -m udp --dport 139 -j DROP > >-A INPUT -j STATEFUL > >-A OUTPUT -o lo -j ACCEPT > >-A LOGNDROP -j LOG --log-tcp-sequence --log-tcp-options --log-ip-options > >-A LOGNDROP -j DROP > >-A STATEFUL -i eth0 -m state --state NEW -j CORPORATEFILTER > >-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT > >-A STATEFUL -j LOGNDROP > >-A CORPORATEFILTER -i eth0 -j LOG --log-tcp-sequence --log-tcp-options > >--log-ip-options > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.244 -m tcp --dport 80 -j ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.244 -m tcp --dport 8080 -j ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.244 -m tcp --dport 443:444 -j > >ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.244 -m tcp --dport 7741 -j ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.245 -m tcp --dport 80 -j ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.245 -m tcp --dport 8080 -j ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.245 -m tcp --dport 443:444 -j > >ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.245 -m tcp --dport 7741 -j ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.246 -m tcp --dport 80 -j ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.246 -m tcp --dport 8080 -j ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.246 -m tcp --dport 443:444 -j > >ACCEPT > >-A CORPORATEFILTER -i eth0 -p tcp -d 10.148.254.246 -m tcp --dport 7741 -j ACCEPT > > > >-A CORPORATEFILTER -j LOGNDROP > >COMMIT > > > > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading > now. http://productguide.itmanagersjournal.com/ _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss ------- End of Original Message ------- |