i'm surprised noone has answered my question... well i've found it myselve... see'ya -----Mensaje original----- De: Roger Rossell [mailto:roger@grupids.com] Enviado el: jueves, 27 de septiembre de 2001 18:19 Para: suse-security@suse.com Asunto: [suse-security] my configuration - ftp is not working Here is my configuration script. Ftp clients from my lan (specified in table "ids") can not retreive file lists from ftp servers can you help me please??? # FIREWALL DE IDS # echo "***** Ejecutando Firewall... ********************" # CARGA DE MODULOS modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe iptable_nat # variables LAN_IDS="172.16.0.0/255.255.0.0" LAN_DMZ="192.168.0.0/255.255.255.0" ANYIP="0/0" IP_LAN="172.16.100.100" IP_PUB="217.149.0.xx0" IP_DMZ="192.168.0.1" INT_LAN="eth0" INT_PUB="eth1" INT_DMZ="eth2" UNPRIVPORTS="1024:65535" #ortografia: DMZWEB_num-servidor_num-ip-virtual DMZWEB_0_0="192.168.0.100" DMZWEB_0_1="192.168.0.101" DMZWEB_1_0="192.168.0.200" PUBLIC_DMZWEB_0_0="217.149.0.xx1" PUBLIC_DMZWEB_0_1="217.149.0.xx2" PUBLIC_DMZWEB_1_0="217.149.0.xx5" DNS1="217.149.0.10" DNS2="217.149.0.11" # Añadir ip's publicas virtuales ip address add $PUBLIC_DMZWEB_0_0 dev $INT_PUB ip address add $PUBLIC_DMZWEB_0_1 dev $INT_PUB ip address add $PUBLIC_DMZWEB_1_0 dev $INT_PUB # CLEAR IPTABLES iptables -F iptables -X iptables -Z iptables -t nat -F # aciva el proxy arp para la dmz y para la lan #echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp #echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp # activa el forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # proteccion anti spoofing for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done #*/# #proteccion TCP SYN Cookie echo 1 > /proc/sys/net/ipv4/tcp_syncookies #activa el always defrag #echo 1 > /proc/sys/net/ipv4/ip_always_defrag #proteccion echo broadcast #echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_bogus_error_broadcasts #desactiva aceptacion de redireccon icmp for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done #*/# #deshabilita los paquetes SRP (Source Route) for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done #*/# #registra los spoofed packets, source routed packets, redirect packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done #*/# # Politica por defecto echo "Configurando políticas por defecto" iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # Crear nuevas tablas echo "Creando nuevas tablas" iptables -N dmz iptables -N ids iptables -N loopback #iptables -N lan_dmz echo "Relacionando nuevas tablas" iptables -A FORWARD -s $ANYIP -d $LAN_DMZ -j dmz iptables -A FORWARD -s $LAN_DMZ -j dmz iptables -A FORWARD -s $LAN_IDS -d $ANYIP -j ids iptables -A FORWARD -s $ANYIP -d $LAN_IDS -j ids iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j loopback iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j loopback #iptables -A lan_dmz -j ACCEPT #iptables -A lan_dmz -j LOG --log-prefix "#lan-dmz##" # Logs generales echo "Activando logs" #iptables -A INPUT -j LOG --log-prefix "##IN## " #iptables -A OUTPUT -j LOG --log-prefix "##OUT## " #iptables -A FORWARD -j LOG --log-prefix "##FWD## " # NAT echo "Configurando NAT..." iptables -t nat -A POSTROUTING -o $INT_PUB -j MASQUERADE #iptables -t nat -A POSTROUTING -j LOG --log-prefix "##NATpost##" #PORT FORWARDING - NAT IN echo "Configurando PNAT ..." #transparent proxy # # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.0.10:80 iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_DMZWEB_0_0 -j DNAT --to-destination $DMZWEB_0_0 iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_DMZWEB_0_1 -j DNAT --to-destination $DMZWEB_0_1 iptables -t nat -A PREROUTING -p tcp -d $PUBLIC_DMZWEB_1_0 -j DNAT --to-destination $DMZWEB_1_0 #iptables -t nat -A PREROUTING -j LOG --log-prefix "##NATpre##" #SERVICIOS PERMITIDOS LAN - FUERA echo "Permisos de salida desde ids_lan..." #tcp iptables -A ids -p tcp -s $LAN_IDS --dport 20 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 21 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 20 -j LOG --log-prefix "##ftp##" iptables -A ids -p tcp -s $LAN_IDS --dport 21 -j LOG --log-prefix "##ftp##" iptables -A ids -p tcp -s $LAN_IDS --dport 23 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 25 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 80 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 110 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 137 -j ACCEPT iptables -A ids -p tcp -s $LAN_IDS --dport 443 -j ACCEPT iptables -A ids -p tcp -s $ANYIP --dport $UNPRIVPORTS -j ACCEPT #icmp iptables -A ids -p icmp -j ACCEPT #udp iptables -A ids -p udp -s $LAN_IDS -d $DNS1 --dport 53 -j ACCEPT iptables -A ids -p udp -s $LAN_IDS -d $DNS2 --dport 53 -j ACCEPT iptables -A ids -p udp -s $DNS1 -d $LAN_IDS --dport $UNPRIVPORTS -j ACCEPT iptables -A ids -p udp -s $DNS2 -d $LAN_IDS --dport $UNPRIVPORTS -j ACCEPT #el resto lo deniego iptables -A ids -j LOG --log-prefix "##DENY ids##" iptables -A ids -j DROP # LOOPBACK iptables -A loopback -j ACCEPT iptables -A loopback -j LOG --log-prefix "##loopback##" echo "Habilitando acceso a servidores Web DMZ..." iptables -A dmz -p tcp --dport 20 -d $DMZWEB_0_0 -j ACCEPT iptables -A dmz -p tcp --dport 20 -d $DMZWEB_0_1 -j ACCEPT iptables -A dmz -p tcp --dport 20 -d $DMZWEB_1_0 -j ACCEPT iptables -A dmz -p tcp --dport 21 -d $DMZWEB_0_0 -j ACCEPT iptables -A dmz -p tcp --dport 21 -d $DMZWEB_0_1 -j ACCEPT iptables -A dmz -p tcp --dport 21 -d $DMZWEB_1_0 -j ACCEPT iptables -A dmz -p tcp --dport 80 -d $DMZWEB_0_0 -j ACCEPT iptables -A dmz -p tcp --dport 80 -d $DMZWEB_0_1 -j ACCEPT iptables -A dmz -p tcp --dport 80 -d $DMZWEB_1_0 -j ACCEPT #iptables -A dmz -p tcp --dport 137 -d $DMZWEB_0_0 -j ACCEPT #iptables -A dmz -p tcp --dport 137 -d $DMZWEB_1_0 -j ACCEPT #iptables -A dmz -p tcp --dport 137 ! --syn -s $DMZWEB_0_0 -j ACCEPT #iptables -A dmz -p tcp --dport 137 ! --syn -s $DMZWEB_1_0 -j ACCEPT iptables -A dmz -p tcp --dport $UNPRIVPORTS -s $DMZWEB_0_0 -j ACCEPT iptables -A dmz -p tcp --dport $UNPRIVPORTS -s $DMZWEB_0_1 -j ACCEPT iptables -A dmz -p tcp --dport $UNPRIVPORTS -s $DMZWEB_1_0 -j ACCEPT #tienda virtual (tpv) iptables -A dmz -p tcp -s $LAN_DMZ -d 193.24.33.9 --dport 56005 -j ACCEPT #permitit consultas a los dns autorizados "ojo falta el syn!!! y el source port" iptables -A dmz -p udp -s $LAN_DMZ -d $DNS1 --dport 53 -j ACCEPT iptables -A dmz -p udp -s $LAN_DMZ -d $DNS2 --dport 53 -j ACCEPT iptables -A dmz -p udp -s $DNS1 -d $LAN_DMZ --dport $UNPRIVPORTS -j ACCEPT iptables -A dmz -p udp -s $DNS2 -d $LAN_DMZ --dport $UNPRIVPORTS -j ACCEPT #el resto lo deniego iptables -A dmz -j LOG --log-prefix "##DENY dmz##" iptables -A dmz -j DROP echo "***** Fin de firewall script ********************" Thanks -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com