OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Roland Türk (info_at_rolandtuerk.de)
Date: Sat Jan 25 2003 - 13:03:19 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    Sorry, my English is not so good!
    I have write my Firewall with Iptables.I can connect an FTP Server but not
    make a ls or dir.

    linux:~ # ftp ftp.suse.com
    Connected to ftp.suse.com (217.9.113.66).
    220 "Welcome to the SuSE ftp server: Please login as user 'ftp'"
    Name (ftp.suse.com:root): ftp
    331 Please send your email address as a password.
    Password:
    230-+----------------------------------------------------------------+
    230-| Welcome to the SuSE Linux FTP archives in Nürnberg Germany |
    230-+----------------------------------------------------------------+
    230-+------------------------------+ +------------------------------+
    230-| SuSE Inc. | | SuSE GmbH |
    230-| 318 Harrison St. | | Deutschherrnstr. 15-19 |
    230-| Oakland, CA 94607 | | 90429 Nuernberg |
    230-| USA | | Germany |
    230-+------------------------------+ +------------------------------+
    230-| Tel: +1-510-628-3380 | | Tel: +49-911-740530 |
    230-| FAX: +1-510-628-3381 | | FAX: +49-911-7417755 |
    230-+------------------------------+ +------------------------------+
    230-| http://www.suse.com/ | | http://www.suse.de/ |
    230-+------------------------------+ +------------------------------+
    230-Please make sure to read pub/INDEX before sending mail to
    230-ftpadminsuse.com
    230-
    230-User limit: 600 - consider using a mirror-site:
    230-http://www.suse.de/en/support/download/ftp/int_mirrors.html (Int.)
    230-http://www.suse.de/en/support/download/ftp/germ_mirrors.html (DE)
    230-
    230-Users from Europe (in particular German universities):
    230-ftp://ftp.gwdg.de/pub/linux/suse/
    230-ftp://ftp.leo.org/pub/comp/os/unix/linux/suse/suse/
    230-ftp://ftp.uni-kl.de/pub/linux/suse/
    230-
    230-If you are experiencing any problems with this server, please email
    230-ftpadminsuse.com.
    230-
    230 Login successful. Have a lot of fun.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    200 PORT command successful. Consider using PASV.

    --------------------------------------------------
    --------------------------------------------------
    -----snip------
    #My Firewall config for FTP

    # FTP OUT Control-Connection

            iptables -A OUTPUT -p TCP --sport $p_high --dport ftp -j ACCEPT
            iptables -A INPUT -p TCP --dport $p_high --sport ftp ! --syn -j
    ACCEPT

    # FTP OUT Passive Data-Connection

            iptables -A OUTPUT -p TCP --sport $p_high --dport $p_high -j ACCEPT
            iptables -A INPUT -p TCP --dport $p_high --sport $p_high ! --syn -j
    ACCEPT

    # MASQUERADING

            iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

            echo "1" > /proc/sys/net/ipv4/ip_forward
            echo "1" > /proc/sys/net/ipv4/ip_dynaddr

            iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
            iptables -A FORWARD -i $INT -o $EXT -m state --state
    ESTABLISHED,RELATED -j ACCEPT

            iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

            iptables -A FORWARD -i $EXT -o $INT -m state --state
    ESTABLISHED,RELATED -j ACCEPT

            iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
            iptables -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j
    ACCEPT

            iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport
    $p_high --dport ftp -j ACCEPT
            iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport
    $p_high --dport $p_high -j ACCEPT

    -----snap-----
    ----------------------------------------------------------------------
    ----------------------------------------------------------------------

    tcpdump -i ippp0

    19:59:13.290242 217.4.250.8.filenet-tms > 213.95.15.193.domain: 2909 A?
    ftp.suse.com. (30) (DF)
    19:59:13.345807 213.95.15.193.domain > 217.4.250.8.filenet-tms: 2909* 1/2/2
    A 217.9.113.66 (132) [tos 0x10]
    19:59:13.347190 217.4.250.8.35608 > 217.9.113.66.ftp: S
    926670463:926670463(0) win 5840 <mss 1460,sackOK,timestamp 52220628 0,
    19:59:13.447849 217.9.113.66.ftp > 217.4.250.8.35608: S
    840322402:840322402(0) ack 926670464 win 32120 <mss 1460,sackOK,timest
    19:59:13.447945 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 1 win 5840
    <nop,nop,timestamp 52220638 2286511272> (DF)
    19:59:13.518270 217.9.113.66.ftp > 217.4.250.8.35608: P 1:249(248) ack 1 win
    32120 <nop,nop,timestamp 2286511282 52220638> (DF
    19:59:13.518367 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 249 win 6432
    <nop,nop,timestamp 52220645 2286511282> (DF) [tos 0x1
    19:59:13.518817 217.4.250.8.35608 > 217.9.113.66.ftp: F 1:1(0) ack 249 win
    6432 <nop,nop,timestamp 52220645 2286511282> (DF) [
    19:59:13.525785 217.9.113.66.ftp > 217.4.250.8.35608: F 249:249(0) ack 1 win
    32120 <nop,nop,timestamp 2286511282 52220638> (DF
    19:59:13.526164 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 250 win 6432
    <nop,nop,timestamp 52220646 2286511282> (DF) [tos 0x1
    19:59:13.572175 217.9.113.66.ftp > 217.4.250.8.35608: . ack 2 win 32120
    <nop,nop,timestamp 2286511290 52220645> (DF)
    19:59:20.501533 217.4.250.8.35609 > 217.9.113.66.ftp: S
    933158888:933158888(0) win 5840 <mss 1460,sackOK,timestamp 52221343 0,
    19:59:20.551516 217.9.113.66.ftp > 217.4.250.8.35609: S
    856735184:856735184(0) ack 933158889 win 32120 <mss 1460,sackOK,timest
    19:59:20.551613 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1 win 5840
    <nop,nop,timestamp 52221348 2286511987> (DF)
    19:59:20.650476 217.9.113.66.ftp > 217.4.250.8.35609: P 1:67(66) ack 1 win
    32120 <nop,nop,timestamp 2286511993 52221348> (DF)
    19:59:20.650579 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 67 win 5840
    <nop,nop,timestamp 52221358 2286511993> (DF) [tos 0x10
    19:59:24.856106 217.4.250.8.35609 > 217.9.113.66.ftp: P 1:11(10) ack 67 win
    5840 <nop,nop,timestamp 52221778 2286511993> (DF)
    19:59:24.896293 217.9.113.66.ftp > 217.4.250.8.35609: . ack 11 win 32120
    <nop,nop,timestamp 2286512422 52221778> (DF)
    19:59:24.910156 217.9.113.66.ftp > 217.4.250.8.35609: P 67:118(51) ack 11
    win 32120 <nop,nop,timestamp 2286512422 52221778> (D
    19:59:24.910224 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 118 win 5840
    <nop,nop,timestamp 52221784 2286512422> (DF) [tos 0x1
    19:59:26.198941 217.4.250.8.35609 > 217.9.113.66.ftp: P 11:25(14) ack 118
    win 5840 <nop,nop,timestamp 52221913 2286512422> (DF
    19:59:26.261343 217.9.113.66.ftp > 217.4.250.8.35609: P 118:190(72) ack 25
    win 32120 <nop,nop,timestamp 2286512557 52221913> (
    19:59:26.261425 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 190 win 5840
    <nop,nop,timestamp 52221919 2286512557> (DF) [tos 0x1
    19:59:26.277847 217.9.113.66.ftp > 217.4.250.8.35609: P 190:262(72) ack 25
    win 32120 <nop,nop,timestamp 2286512557 52221913> (
    19:59:26.277920 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 262 win 5840
    <nop,nop,timestamp 52221920 2286512557> (DF) [tos 0x1
    19:59:26.294356 217.9.113.66.ftp > 217.4.250.8.35609: P 262:334(72) ack 25
    win 32120 <nop,nop,timestamp 2286512557 52221913> (
    19:59:26.294424 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 334 win 5840
    <nop,nop,timestamp 52221922 2286512557> (DF) [tos 0x1
    19:59:26.310864 217.9.113.66.ftp > 217.4.250.8.35609: P 334:406(72) ack 25
    win 32120 <nop,nop,timestamp 2286512557 52221913> (
    19:59:26.310932 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 406 win 5840
    <nop,nop,timestamp 52221924 2286512557> (DF) [tos 0x1
    19:59:26.521730 217.9.113.66.ftp > 217.4.250.8.35609: P 406:1771(1365) ack
    25 win 32120 <nop,nop,timestamp 2286512563 52221919
    19:59:26.521806 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1771 win 8190
    <nop,nop,timestamp 52221945 2286512563> (DF) [tos 0x
    19:59:26.523495 217.4.250.8.35609 > 217.9.113.66.ftp: P 25:31(6) ack 1771
    win 8190 <nop,nop,timestamp 52221945 2286512563> (DF
    19:59:26.599132 217.9.113.66.ftp > 217.4.250.8.35609: P 1771:1790(19) ack 31
    win 32120 <nop,nop,timestamp 2286512590 52221945>
    19:59:26.638231 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1790 win 8190
    <nop,nop,timestamp 52221957 2286512590> (DF) [tos 0x
    19:59:29.151684 217.4.250.8.35609 > 217.9.113.66.ftp: P 31:56(25) ack 1790
    win 8190 <nop,nop,timestamp 52222208 2286512590> (D
    19:59:29.208498 217.9.113.66.ftp > 217.4.250.8.35609: P 1790:1841(51) ack 56
    win 32120 <nop,nop,timestamp 2286512852 52222208>
    19:59:29.208584 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1841 win 8190
    <nop,nop,timestamp 52222213 2286512852> (DF) [tos 0x
    19:59:29.208840 217.4.250.8.35609 > 217.9.113.66.ftp: P 56:62(6) ack 1841
    win 8190 <nop,nop,timestamp 52222213 2286512852> (DF
    19:59:29.257378 217.9.113.66.ftp-data > 217.4.250.8.35610: S
    870057160:870057160(0) win 32120 <mss 1460,sackOK,timestamp 22865
    19:59:29.325064 217.9.113.66.ftp > 217.4.250.8.35609: . ack 62 win 32120
    <nop,nop,timestamp 2286512860 52222213> (DF)
    19:59:32.304569 217.9.113.66.ftp-data > 217.4.250.8.35610: S
    870057160:870057160(0) win 32120 <mss 1460,sackOK,timestamp 22865

    Which Ports must I open?

    Thanks for Your config or Help

    Roland 

    -- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here