[Zope] iptables locks out zope ftp
keo
keo@goa.hu
Tue, 22 Oct 2002 17:32:38 +0200 (CEST)
try :
insmod ip_nat_ftp ports=21,8021
insmod ip_conntrack_ftp ports=21,8021
this will track ports and will allocate and free them automatically.
this works fine for me. altough i dont have all this iptables config
mess...
k
-- don't believe everything you think
On Tue, 22 Oct 2002, Roel Van den Bergh wrote:
> been on to this for a while but haven't found the solution yet
>
> Searching the net I found similar cases but with no answer :-(
>
> using iptables we can ftp to the server and access zope ftp through port
> 8021
> but when the ftp program tries to open another port the ftp session is
> timed-out/blocked.
>
> When we disable the firewall we can ftp right into zope
> And yes we use passive mode
>
> Running zope 2.5.1 build from source, pyhon 2.1.3 build from source rpm,
> redhat 7.3 on dell powerapp 120
>
> What's wrong?
> TIA, Roel.
>
> here is the script I'm using now:
>
> #!/bin/sh
> # Local Settings
>
> SYSCTL="/sbin/sysctl -w"
>
> IPT="/sbin/iptables"
> IPTS="/sbin/iptables-save"
> IPTR="/sbin/iptables-restore"
>
> # Internet Interface
> INET_IFACE="eth0"
> INET_ADDRESS="x.x.x.x"
>
> # Localhost Interface
>
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
>
> # Save and Restore arguments handled here
> if [ "$1" = "save" ]
> then
> echo -n "Saving firewall to /etc/sysconfig/iptables ... "
> $IPTS > /etc/sysconfig/iptables
> echo "done"
> exit 0
> elif [ "$1" = "restore" ]
> then
> echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
> $IPTR < /etc/sysconfig/iptables
> echo "done"
> exit 0
> fi
>
> # Load Modules
>
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_conntrack_irc
>
> if [ "$SYSCTL" = "" ]
> then
> echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
> else
> $SYSCTL net.ipv4.conf.all.rp_filter="1"
> fi
>
> # Reset Default Policies
> $IPT -P INPUT ACCEPT
> $IPT -P FORWARD ACCEPT
> $IPT -P OUTPUT ACCEPT
> $IPT -t nat -P PREROUTING ACCEPT
> $IPT -t nat -P POSTROUTING ACCEPT
> $IPT -t nat -P OUTPUT ACCEPT
> $IPT -t mangle -P PREROUTING ACCEPT
> $IPT -t mangle -P OUTPUT ACCEPT
>
> # Flush all rules
> $IPT -F
> $IPT -t nat -F
> $IPT -t mangle -F
>
> # Erase all non-default chains
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
>
> if [ "$1" = "stop" ]
> then
> echo "Firewall completely flushed! Now running with no firewall."
> exit 0
> fi
>
> # Set Policies
>
> $IPT -P INPUT DROP
> $IPT -P OUTPUT DROP
> $IPT -P FORWARD DROP
>
> # Create a chain to filter INVALID packets
> $IPT -N bad_packets
>
> # Create another chain to filter bad tcp packets
> $IPT -N bad_tcp_packets
>
> # Create separate chains for icmp, tcp (incoming and outgoing),
> # and incoming udp packets.
> $IPT -N icmp_packets
>
> # Used for UDP packets inbound from the Internet
> $IPT -N udp_inbound
>
> # Used to block outbound UDP services from internal network
> # Default to allow all
> $IPT -N udp_outbound
>
> # Used to allow inbound services if desired
> # Default fail except for established sessions
> $IPT -N tcp_inbound
>
> # Used to block outbound services from internal network
> # Default to allow all
> $IPT -N tcp_outbound
>
> # Drop INVALID packets immediately
> $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
> --log-prefix "Invalid packet:"
> $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
>
> # Then check the tcp packets for additional problems
> $IPT -A bad_packets -p tcp -j bad_tcp_packets
>
> # All good, so return
> $IPT -A bad_packets -p ALL -j RETURN
>
> # bad_tcp_packets chain
> $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
> --log-prefix "New not syn:"
> $IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
>
> # All good, so return
> $IPT -A bad_tcp_packets -p tcp -j RETURN
>
> # icmp_packets chain
> # Time Exceeded
> $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
>
> # Not matched, so return so it will be logged
> $IPT -A icmp_packets -p ICMP -j RETURN
>
> # TCP & UDP
> # udp_inbound chain
> $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
> $IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
>
> # Not matched, so return for logging
> $IPT -A udp_inbound -p UDP -j RETURN
>
> # udp_outbound chain
> $IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT
>
> # tcp_inbound chain
> $IPT -A tcp_inbound -p TCP -d 224.0.0.1 -j DROP
>
> # Web Server
> # HTTP
> $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
>
> # HTTPS (Secure Web Server)
> $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 443 -j ACCEPT
>
> # FTP Server (Control)
> $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
> $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 8021 -j ACCEPT # added
> by PI
>
> # FTP Client (Data Port for non-PASV transfers)
> $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
> $IPT -A tcp_inbound -p TCP -s 0/0 --source-port 8020 -j ACCEPT# added by PI
> $IPT -A INPUT -p TCP ! --syn --source-port 8021 --destination-port
> 1024:65535 -j ACCEPT# added by PI
>
> # Email Server (SMTP)
> $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
>
> # Email Server (POP3)
> $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
>
> # Email Server (IMAP4)
> $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
>
> # sshd
> $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
>
> # Not matched, so return so it will be logged
> $IPT -A tcp_inbound -p TCP -j RETURN
>
> # tcp_outbound chain
> $IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
>
> # Allow all on localhost interface
> $IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
>
> # Drop bad packets
> $IPT -A INPUT -p ALL -j bad_packets
>
> # Inbound Internet Packet Rules
>
> # Accept Established Connections
> $IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
> -j ACCEPT
>
> # Route the rest to the appropriate user chain
> $IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
> $IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
> $IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
>
> # Drop without logging broadcasts that get this far.
> $IPT -A INPUT -p ALL -d 255.255.255.255 -j DROP
>
> # Log packets that still don't match
> $IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
> --log-prefix "INPUT packet died: "
>
> # FORWARD Chain
> # However, invalid icmp packets need to be dropped
> # to prevent a possible exploit.
> $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
>
> # Localhost
> $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
> $IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
>
> # To internet
> $IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
>
> # Log packets that still don't match
> $IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
> --log-prefix "OUTPUT packet died: "
>
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope-dev )
>
>