A Firewall I Made

Protecting your Linux box
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

A Firewall I Made

Post by mudasir »

AOA,

Salam to all, i have made a firewall, just wanted to get advice from all you professional and experienced guyz. Can you please tell me how can i make this firewall more secure and strong.

As i am not a professional in this field, i know their will be many vulnerabilities in this Firewall, please help me out in making this firewall more secure and strong.

Code: Select all

#!/bin/sh 

###############################################
####      Firewall Script Created By       ####
####            Mudasir Mirza              ####
####       cool_mudasir@hotmail.com        ####
####          0092-321-2395320             ####  
###############################################   

#set -x 

######################## 
## Defining Variables ## 
######################## 

# Path to IPTABLES executable 
IPT="/sbin/iptables" 

# Interface Card Connected to Local Network 
NETWORK="eth0" 

# Interface Card Connected to Internet 
INTERNET="eth1" 

# Loopback Interface 
LOOPBACK="lo" 

# IP Addreses of Server
SERVER_IP="192.168.1.1"

# Local Network IP Range / Subnet 
LOC_IP="192.168.1.0/24" 

# INTERNAL Broadcast 
LOC_BCAST=192.168.1.255 

# IP On The Internet Interface 
NET_IP="172.16.0.1/24" 

# DHCP Server IP 
DHCP_SERVER="192.168.1.1" 

# Squid Server IP
SQUID_IP="192.168.1.1"

# Squid PORT
SQUID_PORT="8080"

# Primiry DNS Server 
P_DNS="203.135.1.117" 

# Alternate DNS Server
A_DNS="203.135.0.70"

# Path To Directory Containing MAC Addresses 
MACDIR="/files/macs"

# Path To File Containing MAC Addresses
MACFILE="/files/macs/allowed.macs"


#########################
### Flushing IPTABLES ###
#########################

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X


########################################
### Setting Default Policies to Drop ###
########################################

$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

echo Default Policies Set To Drop

####################################
### Setting Needed PROC Settings ###
####################################

echo 1 > /proc/sys/net/ipv4/ip_forward

##############################
### Setting IPTABLES Rules ###
##############################


###############################
### MAC Addresses Filtering ###
###############################

rm -f $MACDIR/mac.addresses
cat $MACFILE | awk '{ print $1 }' >> $MACDIR/mac1
cat $MACDIR/mac1 | sed "s/#.*//" > $MACDIR/mac2
cat $MACDIR/mac2 | sed "/^ /d;/^$/d;" > $MACDIR/mac.addresses
rm -f $MACDIR/mac1
rm -f $MACDIR/mac2

echo ----------------------------------------
echo Marking Packets from Known MAC Addresses
echo ----------------------------------------

cat $MACDIR/mac.addresses | while read MACS
do
$IPT -t mangle -A PREROUTING -i $NETWORK -m mac --mac-source $MACS -j MARK --set-mark 1
done

echo -----------------------------------------------
echo ---- MAC Address Filtering Complete ----
echo -----------------------------------------------


#########################################
### MAC Addresses Filtering Completed ###
#########################################


################################
### Accepting Marked Packets ###
################################


$IPT -A INPUT -i $NETWORK -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -i $NETWORK -m mark --mark 1 -j ACCEPT


####################################
### Droping All Unmarked Packets ###
####################################


$IPT -A FORWARD -i $NETWORK -m mark ! --mark 1 -j DROP
$IPT -A INPUT -i $NETWORK -m mark ! --mark 1 -j DROP


########################################################
### Accepting Voice/CAM Request for Marked Packets.  ###
########################################################


$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p udp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5100 -j ACCEPT


#######################################################
### Droping Voice/CAM Traffic which is not Marked.  ###
#######################################################


$IPT -t nat -A PREROUTING -i $NETWORK -m mark ! --mark 1 -p tcp --dport 5000:5010 -j DROP
$IPT -t nat -A PREROUTING -m mark ! --mark 1 -i NETWORK -p tcp --dport 5100 -j DROP


################################
### Accepting DHCP Request.  ###
################################


$IPT -A INPUT -i $NETWORK -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT


################################################################
### Redirecting HTTP and FTP Traffic to Squid Proxy Server.  ###
################################################################


$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 80 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 21 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 21 -j REDIRECT --to-port $SQUID_PORT


#################################################
###  MASQUERADE All packets that are Marked.  ###
#################################################


$IPT -t nat -A POSTROUTING -p all -s $LOC_IP -m mark --mark 1 -o $INTERNET -j MASQUERADE


###############################
### Rules for ICMP Protocol ###
###############################

$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $P_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $A_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d ! $LOC_IP -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -i $NETWORK -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark ! --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-unreachable
$IPT -A INPUT -p icmp -s $LOC_IP -d $LOC_BCAST -j DROP


###############################################
###  No Restriction for Loopback Interface  ###
###############################################


$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT


########################################################################
### Droping Packets coming from internet claming to be from Network  ###
########################################################################


$IPT -A INPUT -i $INTERNET -s $LOC_IP -j DROP
$IPT -A INPUT -i $INTERNET -d 127.0.0.0/8 -j DROP

$IPT -A INPUT -i $NETWORK -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -j ACCEPT


#######################################################
###  Accepting Extablished and Related Connections  ###
#######################################################


$IPT -I INPUT -i $NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INTERNET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


############################################
### Droping Invalid and Unknown Packets  ###
############################################


$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t nat -A PREROUTING -i $NETWORK -p tcp --syn -s $LOC_IP --dport 80 -m mark ! --mark 1 -j DROP
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Post by kbukhari »

Why these lines
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 80 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 21 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 21 -j REDIRECT --to-port $SQUID_PORT
Squid is http proxy and cant run as transparently for ftp if u want transparent ftp proxy then go for frox
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

mudassir this is not a firewall you can say you have made a firewall script to making a system secure using iptables.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear kbukhari,
Thanks alot for telling me this thing, I have made changes in the script.

Dear x2oxen,
You are absolutely correct, its just a firewall script to make my Linux box a bit more secure.
Can you please point out where this script is lacking and what more ammendments i can make in this script to make it more secure.
I know there will be many mistakes in this script as i am nota professional in this field.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

tho am not a expert in fire walling yet but working on it and whenever get anything good on that will let you know for sure and testing your script as well.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear x2oxen,

As said earlier, i am also not a professional regarding firewalling. However i tried to make this for my own CABLE NET, it worked great how ever, as not being a professional i dont know the key points regarding SECURITY. That is the main reason for asking HELP to make this FIREWALL a bit more SECURE.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

you said you have made changes in your script. Why don't you post your new script as well.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Post by kbukhari »

mudasir wrote:AOA,

Dear x2oxen,

As said earlier, i am also not a professional regarding firewalling. However i tried to make this for my own CABLE NET, it worked great how ever, as not being a professional i dont know the key points regarding SECURITY. That is the main reason for asking HELP to make this FIREWALL a bit more SECURE.
But your scripting style is v.Good and looks professional.
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
x2oxen
Major General
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Location: Faisalabad
Contact:

Post by x2oxen »

yup hes good at it.. Atleast on shell scripting..
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear x2oxen and Kbukhari,

Thanks alot, I really appreciate it
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

I have made few changes in the ORIGINAL Script, the new script is as follows

In this i have addess SSH, SQUID_SERVER, SQUID_PORT variables so that the script can become more easy for a beginner.

Code: Select all

#!/bin/sh 

############################################### 
####      Firewall Script Created By       #### 
####            Mudasir Mirza              #### 
####       cool_mudasir@hotmail.com        #### 
####          0092-321-2395320             ####  
###############################################    

#set -x 

######################## 
## Defining Variables ## 
######################## 

# Path to IPTABLES executable 
IPT="/sbin/iptables" 

# Interface Card Connected to Local Network 
NETWORK="eth0" 

# Interface Card Connected to Internet 
INTERNET="eth1" 

# Loopback Interface 
LOOPBACK="lo" 

# IP Addreses of Server 
SERVER_IP="192.168.1.1" 

# Local Network IP Range / Subnet 
LOC_IP="192.168.1.0/24" 

# INTERNAL Broadcast 
LOC_BCAST=192.168.1.255 

# IP On The Internet Interface 
NET_IP="172.16.0.1/24" 

# DHCP Server IP 
DHCP_SERVER="192.168.1.1" 

# IP on whch SQUID Proxy is Running
SQUID_SERVER="192.168.1.1"

# Squid PORT 
SQUID_PORT="8080" 

# SSH Port
SSH_PORT="22"

# Primiry DNS Server 
P_DNS="203.135.1.117" 

# Alternate DNS Server 
A_DNS="203.135.0.70" 

# Path To Directory Containing MAC Addresses 
MACDIR="/files/macs" 

# Path To File Containing MAC Addresses 
MACFILE="/files/macs/allowed.macs" 


######################### 
### Flushing IPTABLES ### 
######################### 

$IPT -F 
$IPT -X 
$IPT -t nat -F 
$IPT -t nat -X 
$IPT -t mangle -F 
$IPT -t mangle -X 


######################################## 
### Setting Default Policies to Drop ### 
######################################## 

$IPT -P INPUT DROP 
$IPT -P FORWARD ACCEPT 
$IPT -P OUTPUT ACCEPT 

echo Default Policies Set To Drop 

#################################### 
### Setting Needed PROC Settings ### 
#################################### 

echo 1 > /proc/sys/net/ipv4/ip_forward 

############################## 
### Setting IPTABLES Rules ### 
############################## 


############################### 
### MAC Addresses Filtering ### 
############################### 

rm -f $MACDIR/mac.addresses 
cat $MACFILE | awk '{ print $1 }' >> $MACDIR/mac1 
cat $MACDIR/mac1 | sed "s/#.*//" > $MACDIR/mac2 
cat $MACDIR/mac2 | sed "/^ /d;/^$/d;" > $MACDIR/mac.addresses 
rm -f $MACDIR/mac1 
rm -f $MACDIR/mac2 

echo ---------------------------------------- 
echo Marking Packets from Known MAC Addresses 
echo ---------------------------------------- 

cat $MACDIR/mac.addresses | while read MACS 
do 
$IPT -t mangle -A PREROUTING -i $NETWORK -m mac --mac-source $MACS -j MARK --set-mark 1 
done 

echo ----------------------------------------------- 
echo ---- MAC Address Filtering Complete ---- 
echo ----------------------------------------------- 


######################################### 
### MAC Addresses Filtering Completed ### 
######################################### 

############################################
### Accepting SSH Requests From Internet ###
############################################


$IPT -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp --dport 22 -j ACCEPT


################################ 
### Accepting Marked Packets ### 
################################ 


$IPT -A INPUT -i $NETWORK -m mark --mark 1 -j ACCEPT 
$IPT -A FORWARD -i $NETWORK -m mark --mark 1 -j ACCEPT 


#################################### 
### Droping All Unmarked Packets ### 
#################################### 


$IPT -A FORWARD -i $NETWORK -m mark ! --mark 1 -j DROP 
$IPT -A INPUT -i $NETWORK -m mark ! --mark 1 -j DROP 


######################################################## 
### Accepting Voice/CAM Request for Marked Packets.  ### 
######################################################## 


$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5000:5010 -j ACCEPT 
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p udp --dport 5000:5010 -j ACCEPT 
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5100 -j ACCEPT 


####################################################### 
### Droping Voice/CAM Traffic which is not Marked.  ### 
####################################################### 


$IPT -t nat -A PREROUTING -i $NETWORK -m mark ! --mark 1 -p tcp --dport 5000:5010 -j DROP 
$IPT -t nat -A PREROUTING -m mark ! --mark 1 -i NETWORK -p tcp --dport 5100 -j DROP 


################################ 
### Accepting DHCP Request.  ### 
################################ 


$IPT -A INPUT -i $NETWORK -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT 
$IPT -A OUTPUT -o $NETWORK -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT 


################################################################ 
### Redirecting HTTP and FTP Traffic to Squid Proxy Server.  ### 
################################################################ 


$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT 
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT 


################################################# 
###  MASQUERADE All packets that are Marked.  ### 
################################################# 


$IPT -t nat -A POSTROUTING -p all -s $LOC_IP -m mark --mark 1 -o $INTERNET -j MASQUERADE 


############################### 
### Rules for ICMP Protocol ### 
############################### 

$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $P_DNS -p icmp -j ACCEPT 
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $A_DNS -p icmp -j ACCEPT 
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d ! $LOC_IP -p icmp --icmp-type echo-request -j DROP 
$IPT -A INPUT -i $NETWORK -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable 
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark ! --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-unreachable 
$IPT -A INPUT -p icmp -s $LOC_IP -d $LOC_BCAST -j DROP 


############################################### 
###  No Restriction for Loopback Interface  ### 
############################################### 


$IPT -A INPUT -i $LOOPBACK -j ACCEPT 
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT 


######################################################################## 
### Droping Packets coming from internet claming to be from Network  ### 
######################################################################## 


$IPT -A INPUT -i $INTERNET -s $LOC_IP -j DROP 
$IPT -A INPUT -i $INTERNET -d 127.0.0.0/8 -j DROP 

$IPT -A INPUT -i $NETWORK -j ACCEPT 
$IPT -A OUTPUT -o $NETWORK -j ACCEPT 


####################################################### 
###  Accepting Extablished and Related Connections  ### 
####################################################### 


$IPT -I INPUT -i $NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPT -A OUTPUT -o $NETWORK -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -A INPUT -i $INTERNET -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -A OUTPUT -o $INTERNET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 


############################################ 
### Droping Invalid and Unknown Packets  ### 
############################################ 


$IPT -A FORWARD -m state --state INVALID -j DROP 
$IPT -A INPUT -i $INTERNET -m state --state INVALID -j DROP 
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ALL NONE -j DROP 
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,FIN FIN -j DROP 
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,PSH PSH -j DROP 
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,URG URG -j DROP 
$IPT -t nat -A PREROUTING -i $NETWORK -p tcp --syn -s $LOC_IP --dport 80 -m mark ! --mark 1 -j DROP 

Still working to make this script better, more secure.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

I am facing a problem regarding this script, although i made it but still have one problem. I implemented this script and as i implemented it, my clients faced only one problem, they are unable to open any FTP site or can not even connect using their FTP Softwares. So i made few changes in this script

I added These Lines in this Script

Code: Select all

MOD="/sbin/modprobe"

$MOD ip_conntrack
$MOD ip_conntract_ftp
$MOD ip_nat_ftp

iptables -A INPUT -i $NETWORK -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 20:21 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp --dport 20:21 -j ACCEPT
Still no progress with the FTP thing. Please help me out, FTP connections are not being made.

As i enter FTP address in the IE, it gives me an error

PAGE CAN NOT BE DISPLAYED.

Looking forward for reply.[/code]
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Please tell me what should i do in order for FTP sites to work behind this script
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear mudasir,
Salam,
mudasir wrote:Please tell me what should i do in order for FTP sites to work behind this script
Allow passive ports in your Firewall Rules.

Best Regards.
Farrukh Ahmed
kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Post by kbukhari »

mudasir wrote:AOA,

Please tell me what should i do in order for FTP sites to work behind this script
Try allowing related packets...
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
Post Reply