[CentOS-de] Iptables und FTP

Alexander Dalloz ad+lists at uni-x.org
Fr Apr 22 12:17:43 EDT 2011 

Am 22.04.2011 17:36, schrieb Evgenij Dauenahuer:
> Hi Leute kann mir jamand helfen bitte 
> ich habe centos 5.5 als Gateway mit Squid+Havp als Proxy

FTP wird nicht über den Squid abgewickelt?

> eth0 --internet (192.168.178. adsl router) 
> eth1 -- lan    (192.168.2.1)
> 
> 
> also Proxy funktioniert und iptables auch ping leuft u.s.w. nun versuche ich von cleint Pc mit Filezilla auf hoster zu zugreifen (ohne Erfolg)

Was wird geloggt? Was sagt ein tcpdump auf dem Client und dem Gateway??

> hier ist mein Konfig von iptables:
> 
> 
> module :
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftpsind auch geladen
> 
> # Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011
> *nat
> :PREROUTING ACCEPT [13:1184]
> :POSTROUTING ACCEPT [1:172]
> :OUTPUT ACCEPT [1:172]
> -A POSTROUTING -o eth0 -j MASQUERADE 
> COMMIT
> # Completed on Wed Apr 20 03:16:17 2011
> # Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011
> *mangle
> :PREROUTING ACCEPT [453:35320]
> :INPUT ACCEPT [453:35320]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [342:49808]
> :POSTROUTING ACCEPT [342:49808]
> COMMIT
> #1 Completed on Wed Apr 20 03:16:17 2011
> # Generated by iptables-save v1.3.5 on Wed Apr 20 03:16:17 2011
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]

Keine Pakete bislang geforwardet? Sieht verdächtig aus.

> :OUTPUT ACCEPT [342:49808]
> :RH-Firewall-1-INPUT - [0:0]

Durch diese Chain ging bislang ebenfalls kein Paket?

> -A INPUT -j RH-Firewall-1-INPUT 
> -A FORWARD -j RH-Firewall-1-INPUT 
> 
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT 
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT 
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT 
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT 
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT 
> #DNS
> -A RH-Firewall-1-INPUT  -i eth1 -m tcp -p tcp --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT  -i eth1 -m udp -p udp --dport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT  -i eth0 -p udp -s 192.168.178.1 --sport 53 -j ACCEPT
> -A RH-Firewall-1-INPUT  -i eth0 -p tcp -s 192.168.178.1 --sport 53 -j ACCEPT
> #PRINTING
> -A RH-Firewall-1-INPUT -i eth1 -p udp -m udp --dport 631 -j ACCEPT 
> -A RH-Firewall-1-INPUT -i eth1 -p tcp -m tcp --dport 631 -j ACCEPT 
> #Rules for connect to router
> #-A RH-Firewall-1-FORWARD -i eth1 -d 192.168.178.1 -m state --state NEW,ESTABLISHED -j ACCEPT
> #-A RH-Firewall-1-FORWARD -i eth0 -d 192.168.2.0/24 -m state --state ESTABLISHED -j ACCEPT
> #-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
> #-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 10000 -j ACCEPT 
> 
> #SQUID
> -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3128 -j ACCEPT 
> -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 8080 -j ACCEPT
> 
> #VNC
> -A RH-Firewall-1-INPUT -i eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 5900 -j ACCEPT 
> -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED  -m tcp --sport 80 -j ACCEPT
> #HTTPS
> -A RH-Firewall-1-INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -m tcp --sport 443 -j ACCEPT
> #SSH
> -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 22 -j ACCEPT
> #WEBMIN
> -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -p tcp -m state --state NEW,ESTABLISHED,RELATED -m tcp --dport 10000 -j ACCEPT
> #FTP
> -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 21 -j ACCEPT
> -A RH-Firewall-1-INPUT -i eth0  -m state --state ESTABLISHED,RELATED -p tcp --sport 21 -j ACCEPT

Wieso source port 21? Das passt nicht. Das müsste der destination port sein.

> #Allow active
> -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 20 -j ACCEPT
> -A RH-Firewall-1-INPUT -i eth0  -m state --state ESTABLISHED,RELATED -p tcp --sport 20 -j ACCEPT#

Hier derselbe Fehler.

> #Allow passive FTP
> -A RH-Firewall-1-INPUT -i eth1 -s 192.168.2.0/24 -m state --state ESTABLISHED,NEW,RELATED -p tcp --dport 1024 -j ACCEPT

Du willst eine destination port range 1024:65535

> -A RH-Firewall-1-INPUT -i eth0  -m state --state ESTABLISHED,RELATED -p tcp --sport 1024 -j ACCEPT

Hier ebenfalls source port anstatt destination port range 1024:64535

> #log end 
> -A RH-Firewall-1-INPUT -i eth1 -j  LOG --log-level debug --log-prefix "EHT1 -FROM LAN "
> -A RH-Firewall-1-INPUT -i eth0 -j  LOG --log-level debug --log-prefix "EHT0 -From INTERNET "

Wenn Dir Deine Firewall-Regeln einen Strich durch die Rechnung machen,
dann findest Du das ja geloggt.

> -A RH-Firewall-1-INPUT -j DROP
> COMMIT
> # Completed on Wed Apr 20 03:16:17 2011
> 
> 
> danke Evgenij

ip_forward muss an (1) sein.

Alexander