A Firewall I Made

Protecting your Linux box

A Firewall I Made

Postby mudasir » Thu Nov 22, 2007 11:12 am

AOA,

Salam to all, i have made a firewall, just wanted to get advice from all you professional and experienced guyz. Can you please tell me how can i make this firewall more secure and strong.

As i am not a professional in this field, i know their will be many vulnerabilities in this Firewall, please help me out in making this firewall more secure and strong.

Code: Select all

#!/bin/sh

###############################################
####      Firewall Script Created By       ####
####            Mudasir Mirza              ####
####       cool_mudasir@hotmail.com        ####
####          0092-321-2395320             #### 
###############################################   

#set -x

########################
## Defining Variables ##
########################

# Path to IPTABLES executable
IPT="/sbin/iptables"

# Interface Card Connected to Local Network
NETWORK="eth0"

# Interface Card Connected to Internet
INTERNET="eth1"

# Loopback Interface
LOOPBACK="lo"

# IP Addreses of Server
SERVER_IP="192.168.1.1"

# Local Network IP Range / Subnet
LOC_IP="192.168.1.0/24"

# INTERNAL Broadcast
LOC_BCAST=192.168.1.255

# IP On The Internet Interface
NET_IP="172.16.0.1/24"

# DHCP Server IP
DHCP_SERVER="192.168.1.1"

# Squid Server IP
SQUID_IP="192.168.1.1"

# Squid PORT
SQUID_PORT="8080"

# Primiry DNS Server
P_DNS="203.135.1.117"

# Alternate DNS Server
A_DNS="203.135.0.70"

# Path To Directory Containing MAC Addresses
MACDIR="/files/macs"

# Path To File Containing MAC Addresses
MACFILE="/files/macs/allowed.macs"


#########################
### Flushing IPTABLES ###
#########################

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X


########################################
### Setting Default Policies to Drop ###
########################################

$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

echo Default Policies Set To Drop

####################################
### Setting Needed PROC Settings ###
####################################

echo 1 > /proc/sys/net/ipv4/ip_forward

##############################
### Setting IPTABLES Rules ###
##############################


###############################
### MAC Addresses Filtering ###
###############################

rm -f $MACDIR/mac.addresses
cat $MACFILE | awk '{ print $1 }' >> $MACDIR/mac1
cat $MACDIR/mac1 | sed "s/#.*//" > $MACDIR/mac2
cat $MACDIR/mac2 | sed "/^ /d;/^$/d;" > $MACDIR/mac.addresses
rm -f $MACDIR/mac1
rm -f $MACDIR/mac2

echo ----------------------------------------
echo Marking Packets from Known MAC Addresses
echo ----------------------------------------

cat $MACDIR/mac.addresses | while read MACS
do
$IPT -t mangle -A PREROUTING -i $NETWORK -m mac --mac-source $MACS -j MARK --set-mark 1
done

echo -----------------------------------------------
echo ---- MAC Address Filtering Complete ----
echo -----------------------------------------------


#########################################
### MAC Addresses Filtering Completed ###
#########################################


################################
### Accepting Marked Packets ###
################################


$IPT -A INPUT -i $NETWORK -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -i $NETWORK -m mark --mark 1 -j ACCEPT


####################################
### Droping All Unmarked Packets ###
####################################


$IPT -A FORWARD -i $NETWORK -m mark ! --mark 1 -j DROP
$IPT -A INPUT -i $NETWORK -m mark ! --mark 1 -j DROP


########################################################
### Accepting Voice/CAM Request for Marked Packets.  ###
########################################################


$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p udp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5100 -j ACCEPT


#######################################################
### Droping Voice/CAM Traffic which is not Marked.  ###
#######################################################


$IPT -t nat -A PREROUTING -i $NETWORK -m mark ! --mark 1 -p tcp --dport 5000:5010 -j DROP
$IPT -t nat -A PREROUTING -m mark ! --mark 1 -i NETWORK -p tcp --dport 5100 -j DROP


################################
### Accepting DHCP Request.  ###
################################


$IPT -A INPUT -i $NETWORK -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT


################################################################
### Redirecting HTTP and FTP Traffic to Squid Proxy Server.  ###
################################################################


$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 80 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 21 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 21 -j REDIRECT --to-port $SQUID_PORT


#################################################
###  MASQUERADE All packets that are Marked.  ###
#################################################


$IPT -t nat -A POSTROUTING -p all -s $LOC_IP -m mark --mark 1 -o $INTERNET -j MASQUERADE


###############################
### Rules for ICMP Protocol ###
###############################

$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $P_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $A_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d ! $LOC_IP -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -i $NETWORK -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark ! --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-unreachable
$IPT -A INPUT -p icmp -s $LOC_IP -d $LOC_BCAST -j DROP


###############################################
###  No Restriction for Loopback Interface  ###
###############################################


$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT


########################################################################
### Droping Packets coming from internet claming to be from Network  ###
########################################################################


$IPT -A INPUT -i $INTERNET -s $LOC_IP -j DROP
$IPT -A INPUT -i $INTERNET -d 127.0.0.0/8 -j DROP

$IPT -A INPUT -i $NETWORK -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -j ACCEPT


#######################################################
###  Accepting Extablished and Related Connections  ###
#######################################################


$IPT -I INPUT -i $NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INTERNET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


############################################
### Droping Invalid and Unknown Packets  ###
############################################


$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t nat -A PREROUTING -i $NETWORK -p tcp --syn -s $LOC_IP --dport 80 -m mark ! --mark 1 -j DROP
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby kbukhari » Thu Nov 22, 2007 12:20 pm

Why these lines
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 80 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 21 -j REDIRECT --to-port $SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 21 -j REDIRECT --to-port $SQUID_PORT


Squid is http proxy and cant run as transparently for ftp if u want transparent ftp proxy then go for frox
--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
kbukhari
Major General
 
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Website: http://kashifbukhari.com
Location: Lahore

Postby x2oxen » Fri Nov 23, 2007 3:44 am

mudassir this is not a firewall you can say you have made a firewall script to making a system secure using iptables.
Muhammad Usman
+92-321-6640501
Chemonics International
http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

Postby mudasir » Fri Nov 23, 2007 7:58 am

AOA,

Dear kbukhari,
Thanks alot for telling me this thing, I have made changes in the script.

Dear x2oxen,
You are absolutely correct, its just a firewall script to make my Linux box a bit more secure.
Can you please point out where this script is lacking and what more ammendments i can make in this script to make it more secure.
I know there will be many mistakes in this script as i am nota professional in this field.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby x2oxen » Fri Nov 23, 2007 6:24 pm

tho am not a expert in fire walling yet but working on it and whenever get anything good on that will let you know for sure and testing your script as well.
Muhammad Usman

+92-321-6640501

Chemonics International

http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

Postby mudasir » Fri Nov 23, 2007 7:03 pm

AOA,

Dear x2oxen,

As said earlier, i am also not a professional regarding firewalling. However i tried to make this for my own CABLE NET, it worked great how ever, as not being a professional i dont know the key points regarding SECURITY. That is the main reason for asking HELP to make this FIREWALL a bit more SECURE.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby x2oxen » Sat Nov 24, 2007 2:53 pm

you said you have made changes in your script. Why don't you post your new script as well.
Muhammad Usman

+92-321-6640501

Chemonics International

http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

Postby kbukhari » Mon Nov 26, 2007 10:33 am

mudasir wrote:AOA,

Dear x2oxen,

As said earlier, i am also not a professional regarding firewalling. However i tried to make this for my own CABLE NET, it worked great how ever, as not being a professional i dont know the key points regarding SECURITY. That is the main reason for asking HELP to make this FIREWALL a bit more SECURE.

But your scripting style is v.Good and looks professional.
--

Syed Kashif Ali Bukhari

+92-345-8444420

http://sysadminsline.com

http://kashifbukhari.com
kbukhari
Major General
 
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Website: http://kashifbukhari.com
Location: Lahore

Postby x2oxen » Mon Nov 26, 2007 7:49 pm

yup hes good at it.. Atleast on shell scripting..
Muhammad Usman

+92-321-6640501

Chemonics International

http://usmanpk.com
x2oxen
Major General
 
Posts: 1114
Joined: Wed Aug 22, 2007 3:17 pm
Website: http://usmanpk.com
WLM: x2oxen@hotmail.com
Yahoo Messenger: x2oxen
Location: Faisalabad

Postby mudasir » Tue Nov 27, 2007 11:18 am

AOA,

Dear x2oxen and Kbukhari,

Thanks alot, I really appreciate it
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby mudasir » Wed Nov 28, 2007 4:04 am

AOA,

I have made few changes in the ORIGINAL Script, the new script is as follows

In this i have addess SSH, SQUID_SERVER, SQUID_PORT variables so that the script can become more easy for a beginner.

Code: Select all

#!/bin/sh

###############################################
####      Firewall Script Created By       ####
####            Mudasir Mirza              ####
####       cool_mudasir@hotmail.com        ####
####          0092-321-2395320             #### 
###############################################   

#set -x

########################
## Defining Variables ##
########################

# Path to IPTABLES executable
IPT="/sbin/iptables"

# Interface Card Connected to Local Network
NETWORK="eth0"

# Interface Card Connected to Internet
INTERNET="eth1"

# Loopback Interface
LOOPBACK="lo"

# IP Addreses of Server
SERVER_IP="192.168.1.1"

# Local Network IP Range / Subnet
LOC_IP="192.168.1.0/24"

# INTERNAL Broadcast
LOC_BCAST=192.168.1.255

# IP On The Internet Interface
NET_IP="172.16.0.1/24"

# DHCP Server IP
DHCP_SERVER="192.168.1.1"

# IP on whch SQUID Proxy is Running
SQUID_SERVER="192.168.1.1"

# Squid PORT
SQUID_PORT="8080"

# SSH Port
SSH_PORT="22"

# Primiry DNS Server
P_DNS="203.135.1.117"

# Alternate DNS Server
A_DNS="203.135.0.70"

# Path To Directory Containing MAC Addresses
MACDIR="/files/macs"

# Path To File Containing MAC Addresses
MACFILE="/files/macs/allowed.macs"


#########################
### Flushing IPTABLES ###
#########################

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X


########################################
### Setting Default Policies to Drop ###
########################################

$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

echo Default Policies Set To Drop

####################################
### Setting Needed PROC Settings ###
####################################

echo 1 > /proc/sys/net/ipv4/ip_forward

##############################
### Setting IPTABLES Rules ###
##############################


###############################
### MAC Addresses Filtering ###
###############################

rm -f $MACDIR/mac.addresses
cat $MACFILE | awk '{ print $1 }' >> $MACDIR/mac1
cat $MACDIR/mac1 | sed "s/#.*//" > $MACDIR/mac2
cat $MACDIR/mac2 | sed "/^ /d;/^$/d;" > $MACDIR/mac.addresses
rm -f $MACDIR/mac1
rm -f $MACDIR/mac2

echo ----------------------------------------
echo Marking Packets from Known MAC Addresses
echo ----------------------------------------

cat $MACDIR/mac.addresses | while read MACS
do
$IPT -t mangle -A PREROUTING -i $NETWORK -m mac --mac-source $MACS -j MARK --set-mark 1
done

echo -----------------------------------------------
echo ---- MAC Address Filtering Complete ----
echo -----------------------------------------------


#########################################
### MAC Addresses Filtering Completed ###
#########################################

############################################
### Accepting SSH Requests From Internet ###
############################################


$IPT -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp --dport 22 -j ACCEPT


################################
### Accepting Marked Packets ###
################################


$IPT -A INPUT -i $NETWORK -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -i $NETWORK -m mark --mark 1 -j ACCEPT


####################################
### Droping All Unmarked Packets ###
####################################


$IPT -A FORWARD -i $NETWORK -m mark ! --mark 1 -j DROP
$IPT -A INPUT -i $NETWORK -m mark ! --mark 1 -j DROP


########################################################
### Accepting Voice/CAM Request for Marked Packets.  ###
########################################################


$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p udp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5100 -j ACCEPT


#######################################################
### Droping Voice/CAM Traffic which is not Marked.  ###
#######################################################


$IPT -t nat -A PREROUTING -i $NETWORK -m mark ! --mark 1 -p tcp --dport 5000:5010 -j DROP
$IPT -t nat -A PREROUTING -m mark ! --mark 1 -i NETWORK -p tcp --dport 5100 -j DROP


################################
### Accepting DHCP Request.  ###
################################


$IPT -A INPUT -i $NETWORK -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT


################################################################
### Redirecting HTTP and FTP Traffic to Squid Proxy Server.  ###
################################################################


$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT


#################################################
###  MASQUERADE All packets that are Marked.  ###
#################################################


$IPT -t nat -A POSTROUTING -p all -s $LOC_IP -m mark --mark 1 -o $INTERNET -j MASQUERADE


###############################
### Rules for ICMP Protocol ###
###############################

$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $P_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $A_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d ! $LOC_IP -p icmp --icmp-type echo-request -j DROP
$IPT -A INPUT -i $NETWORK -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark ! --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-unreachable
$IPT -A INPUT -p icmp -s $LOC_IP -d $LOC_BCAST -j DROP


###############################################
###  No Restriction for Loopback Interface  ###
###############################################


$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT


########################################################################
### Droping Packets coming from internet claming to be from Network  ###
########################################################################


$IPT -A INPUT -i $INTERNET -s $LOC_IP -j DROP
$IPT -A INPUT -i $INTERNET -d 127.0.0.0/8 -j DROP

$IPT -A INPUT -i $NETWORK -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -j ACCEPT


#######################################################
###  Accepting Extablished and Related Connections  ###
#######################################################


$IPT -I INPUT -i $NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INTERNET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


############################################
### Droping Invalid and Unknown Packets  ###
############################################


$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,URG URG -j DROP
$IPT -t nat -A PREROUTING -i $NETWORK -p tcp --syn -s $LOC_IP --dport 80 -m mark ! --mark 1 -j DROP



Still working to make this script better, more secure.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby mudasir » Sun Dec 02, 2007 3:43 am

AOA,

I am facing a problem regarding this script, although i made it but still have one problem. I implemented this script and as i implemented it, my clients faced only one problem, they are unable to open any FTP site or can not even connect using their FTP Softwares. So i made few changes in this script

I added These Lines in this Script

Code: Select all

MOD="/sbin/modprobe"

$MOD ip_conntrack
$MOD ip_conntract_ftp
$MOD ip_nat_ftp

iptables -A INPUT -i $NETWORK -p tcp --dport 20:21 -j ACCEPT
iptables -A FORWARD -p tcp --dport 20:21 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp --dport 20:21 -j ACCEPT


Still no progress with the FTP thing. Please help me out, FTP connections are not being made.

As i enter FTP address in the IE, it gives me an error

PAGE CAN NOT BE DISPLAYED.

Looking forward for reply.[/code]
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Postby mudasir » Tue Dec 04, 2007 12:44 am

AOA,

Please tell me what should i do in order for FTP sites to work behind this script
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
 
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Website: http://www.crystalnetworks.org
Location: Dubai

Re:

Postby LinuxFreaK » Tue Dec 04, 2007 8:33 am

Dear mudasir,
Salam,

mudasir wrote:Please tell me what should i do in order for FTP sites to work behind this script


Allow passive ports in your Firewall Rules.

Best Regards.
Farrukh Ahmed
LinuxFreaK
Site Admin
 
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
ICQ: 82075802
Website: http://www.linuxpakistan.net/wiki/index.php?pagename=LinuxFreak
WLM: f4fahmed@hotmail.com
Yahoo Messenger: f4fahmed@yahoo.com
AOL: linuxpakistan@aol.com
Location: Karachi

Postby kbukhari » Tue Dec 04, 2007 10:06 am

mudasir wrote:AOA,

Please tell me what should i do in order for FTP sites to work behind this script


Try allowing related packets...
--

Syed Kashif Ali Bukhari

+92-345-8444420

http://sysadminsline.com

http://kashifbukhari.com
kbukhari
Major General
 
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Website: http://kashifbukhari.com
Location: Lahore


Return to “%s” Security

Who is online

Users browsing this forum: No registered users and 2 guests

cron