Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Thu, 21 Dec 2000 02:31:54 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Thu, 21 Dec 2000 02:31:45 -0500 Received: from entropy.muc.muohio.edu ([134.53.213.10]:387 "EHLO entropy.muc.muohio.edu") by vger.kernel.org with ESMTP id ; Thu, 21 Dec 2000 02:31:29 -0500 Date: Thu, 21 Dec 2000 02:00:49 -0500 (EST) From: George To: Michael Rothwell cc: "Michael H. Warfield" , Subject: Re: iptables: "stateful inspection?" In-Reply-To: <3A40DE97.96228B5E@holly-springs.nc.us> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 20 Dec 2000, Michael Rothwell wrote: >"Michael H. Warfield" wrote: >> I think that's more than a little overstatement on your >> part. It depends entirely on the application you intend to put >> it to. > >Fine. How do I make FTP work through it? How can I allow all outgoing >TCP connections without opening the network to inbound connections on >the ports of desired services? /etc/sysctl.conf: # Set local port range to be higher. net.ipv4.ip_local_port_range = 32768 33792 /etc/ftpaccess: passive ports 0.0.0.0/0 32768 36863 Firewall script: ----------------- STDPORT=32768:33792 IP=1.2.3.4/32 # Client FTP ipchains -A output -j ACCEPT -p tcp -s $IP $STDPORT -d 0.0.0.0/0 ftp-data -y -l ipchains -A output -j ACCEPT -p tcp -s $IP $STDPORT -d 0.0.0.0/0 ftp-data ipchains -A output -j ACCEPT -p tcp -s $IP $STDPORT -d 0.0.0.0/0 ftp -y -l ipchains -A output -j ACCEPT -p tcp -s $IP $STDPORT -d 0.0.0.0/0 ftp # Server FTP ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 ftp-data -d $IP $STDPORT # Needs SYN ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 ftp -d $IP $STDPORT ! -y [now deny all for all chains] Unfortunately, any FTP server that doesn't use port 20 for data streams won't work in Passive mode (oh well). So I just download elsewhere first and then get it locally for browsers that insist upon Passive. For allowing outgoing connections without inbound, you'd use: ipchains -A input -j DENY -p tcp -y or if that complains: ipchains -A input -j DENY -p tcp -s 0.0.0.0/0 -d $IP -y You'll notice above I used '! -y' on the Server FTP rule. If I missed a detail, it might be due to trying to condense everything I have into what you wanted. -George Greer (7,323 and 189 lines in my firewall rule script.) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/