---

Er der nogen der har et bud på, hvad der skal ændres/rettes/tilføjes i
nedestående script (fra Henrik Størner) for at tillade adgang til en
ftp-server, der kører på en maskine bag firewall'en?
Jeg er kørt lidt sur i syntaksen.

På forhånd tak.

/Lars


#!/bin/sh
#
#
# Henrik Størner, henrik@storner.dk
#

PATH=/bin:/sbin:/usr/bin:/usr/sbin


#########################################
# First setup some of the kernel features
#########################################

# Disable forwarding - this is for a standalone system.
# (For masquerading, see below).
echo "0" >/proc/sys/net/ipv4/ip_forward

# Enable syn-cookies (syn-flooding attacks)
echo "1" >/proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Shut off source-routing and enable IP spoof detection
# It seems that this must be done for all network interfaces
for f in /proc/sys/net/ipv4/conf/*; do
# Drop all source-routed packets
echo "0" >$f/accept_source_route

# Enable source-address verification (anti spoofing).
# The value 2 means use Ingress filtering as per RFC 1812.
# Overhead is a little more than the simple routing check
# (enabled with 1) but it negligible for most home users.
echo "2" >$f/rp_filter
done


######################
# Setup IP firewalling
######################

# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

# Create a common chain for the INPUT and FORWARD handling
iptables -N block
iptables -F block

# Allow traffic on established connections
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow new connections if not from the outside
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT

# Allow new connections to our public services
# For home users there are normally none
# iptables -A block -m state --protocol tcp --state NEW --destination-port
http -j ACCEPT

# Block anything else
iptables -A block -j LOG

# Activate the new chain
iptables -A INPUT -j block
iptables -A FORWARD -j block


####################
# Setup Masquerading
####################


# Setup NAT for outgoing connections from the local network

### NB: This is disabled by default. If you want to use ###
### masquerading, just remove the "###" comment-markers ###
### from the lines below. ###

###iptables -t nat -F POSTROUTING
###iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

#
# NB: On Red Hat systems, this is controlled in /etc/sysctl.conf !
# You need to set net.ipv4.ip_forward=1 in this file, or the
# command below will have no effect.
#
###echo "1" >/proc/sys/net/ipv4/ip_forward

---

"Lars" <lars@linuxnet.dk> writes:

> Er der nogen der har et bud på, hvad der skal ændres/rettes/tilføjes i
> nedestående script (fra Henrik Størner) for at tillade adgang til en
> ftp-server, der kører på en maskine bag firewall'en?
> Jeg er kørt lidt sur i syntaksen.
>
> På forhånd tak.
>
> /Lars
>
>
> #!/bin/sh
> #
> #
> # Henrik Størner, henrik@storner.dk
> #
>
> PATH=/bin:/sbin:/usr/bin:/usr/sbin
>
>
> #########################################
> # First setup some of the kernel features
> #########################################
>
> # Disable forwarding - this is for a standalone system.
> # (For masquerading, see below).
> echo "0" >/proc/sys/net/ipv4/ip_forward
>
> # Enable syn-cookies (syn-flooding attacks)
> echo "1" >/proc/sys/net/ipv4/tcp_syncookies
>
> # Disable ICMP echo-request to broadcast addresses (Smurf amplifier)
> echo "1" >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Shut off source-routing and enable IP spoof detection
> # It seems that this must be done for all network interfaces
> for f in /proc/sys/net/ipv4/conf/*; do
> # Drop all source-routed packets
> echo "0" >$f/accept_source_route
>
> # Enable source-address verification (anti spoofing).
> # The value 2 means use Ingress filtering as per RFC 1812.
> # Overhead is a little more than the simple routing check
> # (enabled with 1) but it negligible for most home users.
> echo "2" >$f/rp_filter
> done
>
>
> ######################
> # Setup IP firewalling
> ######################
>
> # Default policies
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F OUTPUT
>
> # Create a common chain for the INPUT and FORWARD handling
> iptables -N block
> iptables -F block
>
> # Allow traffic on established connections
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> # Allow new connections if not from the outside
> iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
>
> # Allow new connections to our public services
> # For home users there are normally none
> # iptables -A block -m state --protocol tcp --state NEW --destination-port
> http -j ACCEPT
>
> # Block anything else
> iptables -A block -j LOG
>
> # Activate the new chain
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
>
>
I principet er det bare at forwarde ftp og ftp-data portene ind på lokalnettet,
men nogle ftpd'er kan godt blive lidt utilfredse med det (fx skal proftpd *vist*
nok have allowforeignaddress on)... Nå, men port forwarding med iptables gøres
med -j DNAT i nat tabellen:

iptables -t nat -A PREROUTING -p tcp -d eksternadresse --dport 21 -j DNAT --to-destination internadresse:21
iptables -t nat -A PREROUTING -p tcp -d eksternadresse --dport 20 -j DNAT --to-destination internadresse:20



mvh
--
Joakim Recht
Tlf. 20 85 54 77
Email god@cs.auc.dk
WWW http://www.braindump.dk / http://www.compuclub.dk