Liberar FTP

thiagomgt
(usa Debian)

Enviado em 24/06/2008 - 15:44h

Tenho um servidor de ftp instalado localmente na minha maquina, e fiz o direcionamento da porta 2121 (q estou utilizando no ftp) para a minha maquina, aparentemente passa, vejo no programa a chamada (qndo tento acessar d fora, + n consigo carregar), localmente passa normal.. deve ser alguma coisa no firewall q n está deixando passa... Alguem me ajude... Segue o script do firewall..?:::



#!/bin/bash

#########################
# Variaveis do firewall #
#########################

LAN="eth0"
WAN="eth1"
DIR="/etc/firewall"
CAT="/bin/cat"
ECHO="/bin/echo"

BLOCKALL="ips_block_all"
ALLOWALL="ips_allow_all"


###########################
### INICIO DO FIREWALL ####
###########################

firewall_start(){

# Bloq de MSN
iptables -A FORWARD -s 192.168.0.0/255.255.255.0 -p tcp --dport 1863 -j LOG --log-prefix "FIREWALL MSN: "
iptables -A FORWARD -s 192.168.0.0/255.255.255.0 -p tcp --dport 1863 -j REJECT
iptables -A FORWARD -p tcp --dport 1080 -j DROP
iptables -A FORWARD -s 192.168.0.0/255.255.255.0 -p tcp --dport 1080 -j REJECT

# Redirecionar para o servidor FTP
iptables -A INPUT -p tcp --dport 2121 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2121 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.4 -p tcp -d 0/0 --dport 2121 -j ACCEPT
iptables -A OUTPUT -s 192.168.0.1 -p tcp -d 0/0 --dport 2121 -j ACCEPT

###############################
## REGRA PARA BLOQUEIO TOTAL ##
###############################

for n in `$CAT $DIR/$BLOCKALL`
do
iptables -A FORWARD -s $n -j DROP
iptables -A FORWARD -d $n -j DROP
done

## Fim bloq. Total ##


########################
## REGRA ACESSO TOTAL ##
########################

for n in `$CAT $DIR/$ALLOWALL`
do
iptables -A FORWARD -s $n -m state --state NEW -j ACCEPT
iptables -A FORWARD -d $n -m state --state NEW -j ACCEPT
done

## Fim acesso total ##

# caixa ##
iptables -t nat -I PREROUTING -i $LAN -p tcp -d 200.201.0.0/16 --dport 80 -j ACCEPT

#### ACESSOS PRIMARIOS #######

iptables -A INPUT -p tcp --dport 2244 -j ACCEPT #SSH
iptables -A INPUT -p tcp --dport 53 -j ACCEPT #DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT #DNS
iptables -A INPUT -p tcp --dport 587 -j ACCEPT #SMTP
iptables -A INPUT -p tcp --dport 110 -j ACCEPT #POP

### ACESSO DA LAN ##############

iptables -A INPUT -i $LAN -p tcp --dport 3128 --syn -j ACCEPT #SQID
iptables -A INPUT -i $LAN -p tcp --dport 25 -j ACCEPT #EMAIL
iptables -A INPUT -i $LAN -p tcp --dport 587 -j ACCEPT #localweb
iptables -A INPUT -i $LAN -p tcp --dport 110 -j ACCEPT #localweb

# Ignora pings
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
# Proteção contra IP spoofing
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter

# Protege contra synflood
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Proteção contra ICMP Broadcasting
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Bloqueia traceroute
iptables -A INPUT -p udp --dport 33435:33525 -j DROP

# Proteções diversas contra portscanners, ping of death, ataques DoS, etc.
iptables -A INPUT -m state --state INVALID -j DROP

# Abre para a interface de loopback.
# Esta regra é essencial para o KDE e outros programas gráficos funcionarem adequadamente.
iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp --syn -j DROP

echo "O Kurumin Firewall está sendo carregado..."
sleep 1
echo "Tudo pronto!"
sleep 1
}
firewall_stop(){
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
}

case "$1" in
"start")
firewall_start
;;

"stop")
firewall_stop
echo "O kurumin-firewall está sendo desativado"
sleep 2
echo "ok."
;;

"restart")
echo "O kurumin-firewall está sendo desativado"
sleep 1
echo "ok."
firewall_stop; firewall_start
;;
*)
iptables -L -n
esac

thiagomgt
(usa Debian)

Enviado em 24/06/2008 - 15:48h

(faltou eu colocar o nat ai nesse script) + mesmo com ele n passa.....

iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2121 -j LOG --log-prefix "FIREWALL FTP: "
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 2121 -j DNAT --to 192.168.0.4
iptables -t nat -A POSTROUTING -d 192.168.0.4 -j SNAT --to 192.168.0.1