Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

configure iptables for internal and external ftp
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
yuilsa
n00b
n00b


Joined: 11 Mar 2005
Posts: 54
PostPosted: Thu Sep 29, 2005 1:25 am    Post subject: configure iptables for internal and external ftp Reply with quote
Hi, I'm trying to setup ftp so that people in my lan can access it, but also people not in my lan. I just installed ProFTPd as seen here:

http://gentoo-wiki.com/HOWTO_setup_a_home-server

Now, I am having some trouble setting up iptables correctly. I know my firewall isn't the most secure (I allow all outgoing), but I could use some help getting the ftp working...and if you see any glaring problems with anything else. For example, when I allow incoming samba, should I allow it only for eth1?

Code:

#!/bin/bash

IPTABLES='/sbin/iptables'

# Set interface values
# eth0 is public
# eth1 is private
IF0='eth0'
IF1='eth1'

# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

# create blacklist chain
$IPTABLES -N BLACKLIST

# if some process isn't using Unix sockets, then it needs a local connection (?)
# so we allow loopback
echo -e "       - Allowing loopback from lo"
$IPTABLES -A INPUT -i lo -j ACCEPT

# if the traffic is related or established, then accept it
echo -e "       - Accepting RELATED and ESTABLISHED traffic"
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# send SSH requests to BLACKLIST chain
echo -e "       - Sending all SSH traffic to BLACKLIST"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j BLACKLIST

# allow incoming SSH that makes it through BLACKLIST
echo -e "       - Allowing nonBLACKLISTed traffic access to SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT

# allow incoming HTTP
echo -e "       - Allowing access to HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT

# allow incoming samba
echo -e "       - Allowing SAMBA access"
$IPTABLES -A INPUT --protocol tcp --dport 139 -j ACCEPT
$IPTABLES -A INPUT --protocol udp --dport 137:138 -j ACCEPT

# allow incoming azureus
echo -e "       - Allow Azureus access"
$IPTABLES -A INPUT --protocol tcp --tcp-flags SYN,RST,ACK SYN --dport 6970 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT --protocol tcp --tcp-flags SYN,RST,ACK SYN --dport 6883 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT --protocol udp --dport 6970 -m state --state NEW -j ACCEPT

# block all other incoming traffic
echo -e "       - Dropping all other incoming traffic"
$IPTABLES -A INPUT -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -m state --state NEW,INVALID -j DROP


I read http://slacksite.com/other/ftp.html and I must confess, I am confused on where to start.

Thanks.
Back to top
View user's profile Send private message
SnarlCat
n00b
n00b


Joined: 21 Sep 2005
Posts: 40
PostPosted: Thu Sep 29, 2005 12:29 pm    Post subject: Reply with quote
Ok.. a few things I notice..

So I'm guessing you trust people on your private LAN.. so allow them to "do anything":
Code:

echo -e "       - Allowing loopback from eth1"
$IPTABLES -A INPUT -i eth1 -j ACCEPT


And you'll need to open up 21 (ftp) and 20 (ftp-data) to allow FTP through to your server:
Code:

# allow incoming FTP
echo -e "       - Allowing access to FTP server"
$IPTABLES -A INPUT --protocol tcp --multiport --dport ftp, ftp-data -j ACCEPT


The last block says to "drop everything else".. well, IPTables has that built-in --
Code:

# setting default INPUT policy to DROP
$IPTABLES -P INPUT DROP


It's also likely you'll want to do this for all the chains and targets..

If your serious about building a decent firewall, check out the man page for iptables and the IPTables Tutorial http://iptables-tutorial.frozentux.net/iptables-tutorial.html and dig around to find examples.. You can really protect your box and network with some crafty rules..

The command 'iptables' reloads the entire ruleset each time it's called (your script calls it every time..) -- check out iptables-save and iptables-restore for your baseline rules. iptables-restore will queue-up all your rules, and "call" iptables once to get everything loaded.. It's a slight modification to your exisiting script..

Hope this helps, and if you need more or need help getting stuff "just right", let us know..
_________________
--

Our OS who art in CPU, UNIX be thy name.
Thy programs run, thy syscalls
done, In kernel as it is in user!
Back to top
View user's profile Send private message
adaptr
Watchman
Watchman


Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
PostPosted: Thu Sep 29, 2005 12:29 pm    Post subject: Reply with quote
There are several problems with that setup.
First, set your policy to DROP; don't add DROP rules inside a chain unless you need weird exclusions.

Next, you should not ever open up the SMB ports to the outside.
It's both useless and, in the case of internal Win clients, dangerous.

Then - where is the blacklist chain ?
There is not a single rule in it, so SSH simply doesn't work as you posted it.

For simplicity - and to keep your sanity - I propose the following:
- create an EXTERNAL chain that takes all traffic from the Internet as soon as it is received, and process any rules you need in there.
- allow anything from the LAN and loopback unlimited access, since you indicate you want that anyway.
- set your INPUT policy to DROP, which means anything that does not get matched in either the INPUT or EXTERNAL chains is silently discarded - prudence is safety!

One really has to think about how to set up iptables before going in gung-ho with the rules...
Diagrams often help here.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen
Back to top
View user's profile Send private message
yuilsa
n00b
n00b


Joined: 11 Mar 2005
Posts: 54
PostPosted: Sat Oct 01, 2005 12:23 am    Post subject: Reply with quote
Thanks for the help guys. I'll make the changes suggested.

Quote:

The command 'iptables' reloads the entire ruleset each time it's called (your script calls it every time..) -- check out iptables-save and iptables-restore for your baseline rules. iptables-restore will queue-up all your rules, and "call" iptables once to get everything loaded.. It's a slight modification to your exisiting script..


Actually, I am using this...I only call this script when I want to change the firewall rules...on shutdown, iptables-save is called...on reboot, iptables-restore is called.

Quote:

Then - where is the blacklist chain ?
There is not a single rule in it, so SSH simply doesn't work as you posted it.


Sorry, I didn't mention this. I am using sshblack
http://www.pettingers.org/code/sshblack.html

It is a script that runs in the background and adds "dangerous" users to the blacklist.

Anyway, thanks for everything guys.[/quote]
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy