my configuration - ftp is not working

27 Sep 2001


      Here is my configuration script.
Ftp clients from my lan (specified in table "ids") can not retreive file
lists from ftp servers
can you help me please???


# FIREWALL DE IDS #
echo "***** Ejecutando Firewall... ********************"

# CARGA DE MODULOS

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat

# variables
LAN_IDS="172.16.0.0/255.255.0.0"
LAN_DMZ="192.168.0.0/255.255.255.0"
ANYIP="0/0"
IP_LAN="172.16.100.100"
IP_PUB="217.149.0.xx0"
IP_DMZ="192.168.0.1"
INT_LAN="eth0"
INT_PUB="eth1"
INT_DMZ="eth2"
UNPRIVPORTS="1024:65535"

        #ortografia: DMZWEB_num-servidor_num-ip-virtual

DMZWEB_0_0="192.168.0.100"
DMZWEB_0_1="192.168.0.101"
DMZWEB_1_0="192.168.0.200"

PUBLIC_DMZWEB_0_0="217.149.0.xx1"
PUBLIC_DMZWEB_0_1="217.149.0.xx2"
PUBLIC_DMZWEB_1_0="217.149.0.xx5"

DNS1="217.149.0.10"
DNS2="217.149.0.11"

# Añadir ip's publicas virtuales

ip address add $PUBLIC_DMZWEB_0_0 dev $INT_PUB
ip address add $PUBLIC_DMZWEB_0_1 dev $INT_PUB
ip address add $PUBLIC_DMZWEB_1_0 dev $INT_PUB

# CLEAR IPTABLES

iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# aciva el proxy arp para la dmz y para la lan

#echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp
#echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp

# activa el forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

# proteccion anti spoofing
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f;
done
#*/#

#proteccion TCP SYN Cookie
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#activa el always defrag
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag

#proteccion echo broadcast
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_bogus_error_broadcasts

#desactiva aceptacion de redireccon icmp
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done
#*/#

#deshabilita los paquetes SRP (Source Route)
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done
#*/#

#registra los spoofed packets, source routed packets, redirect packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
        echo 1 > $f
done
#*/#


# Politica por defecto
echo "Configurando políticas por defecto"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Crear nuevas tablas
echo "Creando nuevas tablas"
iptables -N dmz
iptables -N ids
iptables -N loopback
#iptables -N lan_dmz

echo "Relacionando nuevas tablas"
iptables -A FORWARD -s $ANYIP -d $LAN_DMZ -j dmz
iptables -A FORWARD -s $LAN_DMZ -j dmz
iptables -A FORWARD -s $LAN_IDS -d $ANYIP -j ids
iptables -A FORWARD -s $ANYIP -d $LAN_IDS -j ids
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j loopback
iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j loopback

#iptables -A lan_dmz -j ACCEPT
#iptables -A lan_dmz -j LOG --log-prefix "#lan-dmz##"

# Logs generales
echo "Activando logs"
#iptables -A INPUT -j LOG --log-prefix "##IN## "
#iptables -A OUTPUT -j LOG --log-prefix "##OUT## "
#iptables -A FORWARD -j LOG --log-prefix "##FWD## "

# NAT
echo "Configurando NAT..."
iptables -t nat -A POSTROUTING -o $INT_PUB -j MASQUERADE
#iptables -t nat -A POSTROUTING -j LOG --log-prefix "##NATpost##"

#PORT FORWARDING - NAT IN
echo "Configurando PNAT ..."

#transparent proxy #
        # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to
192.168.0.10:80

iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_DMZWEB_0_0 -j DNAT
--to-destination $DMZWEB_0_0
iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_DMZWEB_0_1 -j DNAT
--to-destination $DMZWEB_0_1
iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_DMZWEB_1_0 -j DNAT
--to-destination $DMZWEB_1_0
#iptables -t nat -A PREROUTING -j LOG --log-prefix "##NATpre##"

#SERVICIOS PERMITIDOS LAN - FUERA

echo "Permisos de salida desde ids_lan..."

        #tcp
iptables -A ids -p tcp -s $LAN_IDS --dport 20 -j ACCEPT
iptables -A ids -p tcp -s $LAN_IDS --dport 21 -j ACCEPT
iptables -A ids -p tcp -s $LAN_IDS --dport 20 -j LOG --log-prefix
"##ftp##"
iptables -A ids -p tcp -s $LAN_IDS --dport 21 -j LOG --log-prefix
"##ftp##"
iptables -A ids -p tcp -s $LAN_IDS --dport 23 -j ACCEPT
iptables -A ids -p tcp -s $LAN_IDS --dport 25 -j ACCEPT
iptables -A ids -p tcp -s $LAN_IDS --dport 80 -j ACCEPT
iptables -A ids -p tcp -s $LAN_IDS --dport 110 -j ACCEPT
iptables -A ids -p tcp -s $LAN_IDS --dport 137 -j ACCEPT
iptables -A ids -p tcp -s $LAN_IDS --dport 443 -j ACCEPT
iptables -A ids -p tcp -s $ANYIP --dport $UNPRIVPORTS -j ACCEPT
        #icmp
iptables -A ids -p icmp -j ACCEPT
        #udp
iptables -A ids -p udp -s $LAN_IDS -d $DNS1 --dport 53 -j ACCEPT
iptables -A ids -p udp -s $LAN_IDS -d $DNS2 --dport 53 -j ACCEPT
iptables -A ids -p udp -s $DNS1 -d $LAN_IDS --dport $UNPRIVPORTS -j
ACCEPT
iptables -A ids -p udp -s $DNS2 -d $LAN_IDS --dport $UNPRIVPORTS -j
ACCEPT
        #el resto lo deniego
iptables -A ids -j LOG --log-prefix "##DENY ids##"
iptables -A ids -j DROP

# LOOPBACK

iptables -A loopback -j ACCEPT
iptables -A loopback -j LOG --log-prefix "##loopback##"

echo "Habilitando acceso a servidores Web DMZ..."

iptables -A dmz -p tcp --dport 20 -d $DMZWEB_0_0 -j ACCEPT
iptables -A dmz -p tcp --dport 20 -d $DMZWEB_0_1 -j ACCEPT
iptables -A dmz -p tcp --dport 20 -d $DMZWEB_1_0 -j ACCEPT
iptables -A dmz -p tcp --dport 21 -d $DMZWEB_0_0 -j ACCEPT
iptables -A dmz -p tcp --dport 21 -d $DMZWEB_0_1 -j ACCEPT
iptables -A dmz -p tcp --dport 21 -d $DMZWEB_1_0 -j ACCEPT
iptables -A dmz -p tcp --dport 80 -d $DMZWEB_0_0 -j ACCEPT
iptables -A dmz -p tcp --dport 80 -d $DMZWEB_0_1 -j ACCEPT
iptables -A dmz -p tcp --dport 80 -d $DMZWEB_1_0 -j ACCEPT
#iptables -A dmz -p tcp --dport 137 -d $DMZWEB_0_0 -j ACCEPT
#iptables -A dmz -p tcp --dport 137 -d $DMZWEB_1_0 -j ACCEPT
#iptables -A dmz -p tcp --dport 137 ! --syn -s $DMZWEB_0_0 -j ACCEPT
#iptables -A dmz -p tcp --dport 137 ! --syn -s $DMZWEB_1_0 -j ACCEPT
iptables -A dmz -p tcp --dport $UNPRIVPORTS -s $DMZWEB_0_0 -j ACCEPT
iptables -A dmz -p tcp --dport $UNPRIVPORTS -s $DMZWEB_0_1 -j ACCEPT
iptables -A dmz -p tcp --dport $UNPRIVPORTS -s $DMZWEB_1_0 -j ACCEPT

        #tienda virtual (tpv)
iptables -A dmz -p tcp -s $LAN_DMZ -d 193.24.33.9 --dport 56005 -j
ACCEPT

        #permitit consultas a los dns autorizados "ojo falta el syn!!! y
el source port"
iptables -A dmz -p udp -s $LAN_DMZ -d $DNS1 --dport 53 -j ACCEPT
iptables -A dmz -p udp -s $LAN_DMZ -d $DNS2 --dport 53 -j ACCEPT
iptables -A dmz -p udp -s $DNS1 -d $LAN_DMZ --dport $UNPRIVPORTS -j
ACCEPT
iptables -A dmz -p udp -s $DNS2 -d $LAN_DMZ --dport $UNPRIVPORTS -j
ACCEPT
        #el resto lo deniego
iptables -A dmz -j LOG --log-prefix "##DENY dmz##"
iptables -A dmz -j DROP

echo "***** Fin de firewall script ********************"


Thanks

my configuration - ftp is not working

Roger Rossell