been on to this for a while but haven't found the solution yet Searching the net I found similar cases but with no answer :-( using iptables we can ftp to the server and access zope ftp through port 8021 but when the ftp program tries to open another port the ftp session is timed-out/blocked. When we disable the firewall we can ftp right into zope And yes we use passive mode Running zope 2.5.1 build from source, pyhon 2.1.3 build from source rpm, redhat 7.3 on dell powerapp 120 What's wrong? TIA, Roel. here is the script I'm using now: #!/bin/sh # Local Settings SYSCTL="/sbin/sysctl -w" IPT="/sbin/iptables" IPTS="/sbin/iptables-save" IPTR="/sbin/iptables-restore" # Internet Interface INET_IFACE="eth0" INET_ADDRESS="x.x.x.x" # Localhost Interface LO_IFACE="lo" LO_IP="127.0.0.1" # Save and Restore arguments handled here if [ "$1" = "save" ] then echo -n "Saving firewall to /etc/sysconfig/iptables ... " $IPTS > /etc/sysconfig/iptables echo "done" exit 0 elif [ "$1" = "restore" ] then echo -n "Restoring firewall from /etc/sysconfig/iptables ... " $IPTR < /etc/sysconfig/iptables echo "done" exit 0 fi # Load Modules /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="1" fi # Reset Default Policies $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # Flush all rules $IPT -F $IPT -t nat -F $IPT -t mangle -F # Erase all non-default chains $IPT -X $IPT -t nat -X $IPT -t mangle -X if [ "$1" = "stop" ] then echo "Firewall completely flushed! Now running with no firewall." exit 0 fi # Set Policies $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # Create a chain to filter INVALID packets $IPT -N bad_packets # Create another chain to filter bad tcp packets $IPT -N bad_tcp_packets # Create separate chains for icmp, tcp (incoming and outgoing), # and incoming udp packets. $IPT -N icmp_packets # Used for UDP packets inbound from the Internet $IPT -N udp_inbound # Used to block outbound UDP services from internal network # Default to allow all $IPT -N udp_outbound # Used to allow inbound services if desired # Default fail except for established sessions $IPT -N tcp_inbound # Used to block outbound services from internal network # Default to allow all $IPT -N tcp_outbound # Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \ --log-prefix "Invalid packet:" $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP # Then check the tcp packets for additional problems $IPT -A bad_packets -p tcp -j bad_tcp_packets # All good, so return $IPT -A bad_packets -p ALL -j RETURN # bad_tcp_packets chain $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # All good, so return $IPT -A bad_tcp_packets -p tcp -j RETURN # icmp_packets chain # Time Exceeded $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT # Not matched, so return so it will be logged $IPT -A icmp_packets -p ICMP -j RETURN # TCP & UDP # udp_inbound chain $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP # Not matched, so return for logging $IPT -A udp_inbound -p UDP -j RETURN # udp_outbound chain $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT # tcp_inbound chain $IPT -A tcp_inbound -p TCP -d 224.0.0.1 -j DROP # Web Server # HTTP $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT # HTTPS (Secure Web Server) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT # FTP Server (Control) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 8021 -j ACCEPT # added by PI # FTP Client (Data Port for non-PASV transfers) $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 8020 -j ACCEPT# added by PI $IPT -A INPUT -p TCP ! --syn --source-port 8021 --destination-port 1024:65535 -j ACCEPT# added by PI # Email Server (SMTP) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT # Email Server (POP3) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Email Server (IMAP4) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT # sshd $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT # Not matched, so return so it will be logged $IPT -A tcp_inbound -p TCP -j RETURN # tcp_outbound chain $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT # Allow all on localhost interface $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets # Inbound Internet Packet Rules # Accept Established Connections $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT # Route the rest to the appropriate user chain $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # Drop without logging broadcasts that get this far. $IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP # Log packets that still don't match $IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "INPUT packet died: " # FORWARD Chain # However, invalid icmp packets need to be dropped # to prevent a possible exploit. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP # Localhost $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT # To internet $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT # Log packets that still don't match $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "OUTPUT packet died: "
try : insmod ip_nat_ftp ports=21,8021 insmod ip_conntrack_ftp ports=21,8021 this will track ports and will allocate and free them automatically. this works fine for me. altough i dont have all this iptables config mess... k -- don't believe everything you think On Tue, 22 Oct 2002, Roel Van den Bergh wrote:
been on to this for a while but haven't found the solution yet
Searching the net I found similar cases but with no answer :-(
using iptables we can ftp to the server and access zope ftp through port 8021 but when the ftp program tries to open another port the ftp session is timed-out/blocked.
When we disable the firewall we can ftp right into zope And yes we use passive mode
Running zope 2.5.1 build from source, pyhon 2.1.3 build from source rpm, redhat 7.3 on dell powerapp 120
What's wrong? TIA, Roel.
here is the script I'm using now:
#!/bin/sh # Local Settings
SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables" IPTS="/sbin/iptables-save" IPTR="/sbin/iptables-restore"
# Internet Interface INET_IFACE="eth0" INET_ADDRESS="x.x.x.x"
# Localhost Interface
LO_IFACE="lo" LO_IP="127.0.0.1"
# Save and Restore arguments handled here if [ "$1" = "save" ] then echo -n "Saving firewall to /etc/sysconfig/iptables ... " $IPTS > /etc/sysconfig/iptables echo "done" exit 0 elif [ "$1" = "restore" ] then echo -n "Restoring firewall from /etc/sysconfig/iptables ... " $IPTR < /etc/sysconfig/iptables echo "done" exit 0 fi
# Load Modules
/sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc
if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="1" fi
# Reset Default Policies $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules $IPT -F $IPT -t nat -F $IPT -t mangle -F
# Erase all non-default chains $IPT -X $IPT -t nat -X $IPT -t mangle -X
if [ "$1" = "stop" ] then echo "Firewall completely flushed! Now running with no firewall." exit 0 fi
# Set Policies
$IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP
# Create a chain to filter INVALID packets $IPT -N bad_packets
# Create another chain to filter bad tcp packets $IPT -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing), # and incoming udp packets. $IPT -N icmp_packets
# Used for UDP packets inbound from the Internet $IPT -N udp_inbound
# Used to block outbound UDP services from internal network # Default to allow all $IPT -N udp_outbound
# Used to allow inbound services if desired # Default fail except for established sessions $IPT -N tcp_inbound
# Used to block outbound services from internal network # Default to allow all $IPT -N tcp_outbound
# Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \ --log-prefix "Invalid packet:" $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems $IPT -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return $IPT -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# All good, so return $IPT -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain # Time Exceeded $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged $IPT -A icmp_packets -p ICMP -j RETURN
# TCP & UDP # udp_inbound chain $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Not matched, so return for logging $IPT -A udp_inbound -p UDP -j RETURN
# udp_outbound chain $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain $IPT -A tcp_inbound -p TCP -d 224.0.0.1 -j DROP
# Web Server # HTTP $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
# HTTPS (Secure Web Server) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
# FTP Server (Control) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 8021 -j ACCEPT # added by PI
# FTP Client (Data Port for non-PASV transfers) $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 8020 -j ACCEPT# added by PI $IPT -A INPUT -p TCP ! --syn --source-port 8021 --destination-port 1024:65535 -j ACCEPT# added by PI
# Email Server (SMTP) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
# Email Server (POP3) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
# Email Server (IMAP4) $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
# sshd $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
# Not matched, so return so it will be logged $IPT -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
# Allow all on localhost interface $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
# Drop bad packets $IPT -A INPUT -p ALL -j bad_packets
# Inbound Internet Packet Rules
# Accept Established Connections $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ -j ACCEPT
# Route the rest to the appropriate user chain $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# Drop without logging broadcasts that get this far. $IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
# Log packets that still don't match $IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "INPUT packet died: "
# FORWARD Chain # However, invalid icmp packets need to be dropped # to prevent a possible exploit. $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
# To internet $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
# Log packets that still don't match $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "OUTPUT packet died: "
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
Thanks for the quick respond :-) Tried this first without succes # Load Modules /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_nat_ftp ports=21,8021 /sbin/modprobe ip_conntrack_ftp ports=21,8021 /sbin/modprobe ip_conntrack_irc Then tried the following: [root@server sbin]# rmmod ip_nat_ftp [root@server sbin]# insmod ip_nat_ftp ports=21,8021 worked fine but I do not seem to be able to do the same with ip_conntrack_ftp [root@server sbin]# rmmod ip_conntrack_ftp ip_conntrack_ftp: Device or resource busy used Webmin to track down dependencies without succes tried to use depmod but it doesn't help me [root@server sbin]# depmod -n ip_conntrack_ftp # module id=string # pci module vendor device subvendor subdevice class class_mask driver_data # isapnp module cardvendor carddevice driver_data vendor function ... # usb module match_flags idVendor idProduct bcdDevice_lo bcdDevice_hi bDeviceClass bDeviceSubClass bDeviceProtocol bInterfaceClass bInterfaceSubClass bInterfaceProtocol driver_info # module pattern # ieee1394 module match_flags vendor_id model_id specifier_id version # module id Any hints? TIA, Roel.
-----Oorspronkelijk bericht----- Van: keo [mailto:keo@goa.hu] Verzonden: dinsdag 22 oktober 2002 17:33 Aan: Roel Van den Bergh CC: zope@zope.org Onderwerp: Re: [Zope] iptables locks out zope ftp
try :
insmod ip_nat_ftp ports=21,8021 insmod ip_conntrack_ftp ports=21,8021
this will track ports and will allocate and free them automatically.
this works fine for me. altough i dont have all this iptables config mess...
k -- don't believe everything you think
On Tue, 22 Oct 2002, Roel Van den Bergh wrote:
been on to this for a while but haven't found the solution yet
Searching the net I found similar cases but with no answer :-(
using iptables we can ftp to the server and access zope ftp through port 8021 but when the ftp program tries to open another port the ftp session is timed-out/blocked.
When we disable the firewall we can ftp right into zope And yes we use passive mode
Running zope 2.5.1 build from source, pyhon 2.1.3 build from source rpm, redhat 7.3 on dell powerapp 120
What's wrong? TIA, Roel.
participants (2)
-
keo -
Roel Van den Bergh