[CentOS-de] Iptables und FTP
Evgenij Dauenahuer
evgenij.dauenhauer at hotmail.com
Fr Apr 22 11:36:09 EDT 2011
Hi Leute kann mir jamand helfen bitte
ich habe centos 5.5 als Gateway mit Squid+Havp als Proxy
eth0 --internet (192.168.178. adsl router)
eth1 -- lan (192.168.2.1)
also Proxy funktioniert und iptables auch ping leuft u.s.w. nun versuche ich von cleint Pc mit Filezilla auf hoster zu zugreifen (ohne Erfolg)
hier ist mein Konfig von iptables:
module :
modprobe ip_conntrack_ftp
modprobe ip_nat_ftpsind auch geladen
# Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011
*nat
:PREROUTING ACCEPT [13:1184]
:POSTROUTING ACCEPT [1:172]
:OUTPUT ACCEPT [1:172]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Apr 20 03:16:17 2011
# Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011
*mangle
:PREROUTING ACCEPT [453:35320]
:INPUT ACCEPT [453:35320]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [342:49808]
:POSTROUTING ACCEPT [342:49808]
COMMIT
#1 Completed on Wed Apr 20 03:16:17 2011
# Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [342:49808]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
#DNS
-A RH-Firewall-1-INPUT -i eth1 -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -m udp -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p udp -s 192.168.178.1 --sport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -s 192.168.178.1 --sport 53 -j ACCEPT
#PRINTING
-A RH-Firewall-1-INPUT -i eth1 -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -p tcp -m tcp --dport 631 -j ACCEPT
#Rules for connect to router
#-A RH-Firewall-1-FORWARD -i eth1 -d 192.168.178.1 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A RH-Firewall-1-FORWARD -i eth0 -d 192.168.2.0/24 -m state --state ESTABLISHED -j ACCEPT
#-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT
#SQUID
-A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
#VNC
-A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -m tcp --sport 80 -j ACCEPT
#HTTPS
-A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -m tcp --sport 443 -j ACCEPT
#SSH
-A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 22 -j ACCEPT
#WEBMIN
-A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --dport 10000 -j ACCEPT
#FTP
-A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp --sport 21 -j ACCEPT
#Allow active
-A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp --sport 20 -j ACCEPT
#Allow passive FTP
-A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 1024 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -m state --state ESTABLISHED,RELATED -p tcp --sport 1024 -j ACCEPT
#log end
-A RH-Firewall-1-INPUT -i eth1 -j LOG --log-level debug --log-prefix "EHT1 -FROM LAN "
-A RH-Firewall-1-INPUT -i eth0 -j LOG --log-level debug --log-prefix "EHT0 -From INTERNET "
-A RH-Firewall-1-INPUT -j DROP
COMMIT
# Completed on Wed Apr 20 03:16:17 2011
danke Evgenij
-------------- nДchster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: http://lists.centos.org/pipermail/centos-de/attachments/20110422/c17495f2/attachment.html