* [Comm] iptables+ftp
@ 2004-06-04 8:43 Nikita Semenov
2004-06-04 9:03 ` Alexey Morsov
0 siblings, 1 reply; 5+ messages in thread
From: Nikita Semenov @ 2004-06-04 8:43 UTC (permalink / raw)
To: Community@altlinux.ru
Здравствуйте. Второй день бъюсь, туплю, не могу открыть ftp. Вот
iptables:
#!/bin/bash
INET_IP="195.144.253.5"
INET_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"
#Flash All rules
$IPTABLES -F
$IPTABLES -X
#Policies
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#Specified chains creation
$IPTABLES -N inet
$IPTABLES -A INPUT -i $INET_IFACE -j inet
#loopback paranoia
$IPTABLES -A INPUT -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -i lo -s \! localhost/8 -j REJECT
$IPTABLES -A INPUT -s localhost -j ACCEPT
#Restrictive rules
$IPTABLES -A inet -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A inet -p udp --dport ssh -j ACCEPT
$IPTABLES -A inet -p udp --dport domain -j ACCEPT
$IPTABLES -A inet -p udp --sport domain -j ACCEPT
$IPTABLES -A inet -p tcp --dport domain -j ACCEPT
$IPTABLES -A inet -p tcp --sport domain -j ACCEPT
$IPTABLES -A inet -p tcp --dport http -j ACCEPT
$IPTABLES -A inet -p udp --dport ntp -j ACCEPT
$IPTABLES -A inet -p tcp --dport 21 -j ACCEPT
$IPTABLES -A inet -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Kill other udp
$IPTABLES -A inet -p udp -d $INET_IP -j REJECT
#Kill other tcp
$IPTABLES -A inet -p tcp --tcp-flags ALL SYN -d $INET_IP -j REJECT
Что не так делаю? Заранее спасибо.
--
Best regards,
Nikita Semenov
System Administrator
InterStep
+7(812)324-8020
nikita@inter-step.ru
ICQ: 3939833
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Comm] iptables+ftp
2004-06-04 8:43 [Comm] iptables+ftp Nikita Semenov
@ 2004-06-04 9:03 ` Alexey Morsov
2004-06-04 11:50 ` Re[2]: " Nikita Semenov
0 siblings, 1 reply; 5+ messages in thread
From: Alexey Morsov @ 2004-06-04 9:03 UTC (permalink / raw)
To: community
Nikita Semenov wrote:
> Здравствуйте. Второй день бъюсь, туплю, не могу открыть ftp. Вот
> iptables:
>
> #!/bin/bash
>
> INET_IP="195.144.253.5"
> INET_IFACE="eth0"
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
> IPTABLES="/sbin/iptables"
>
> #Flash All rules
> $IPTABLES -F
> $IPTABLES -X
>
> #Policies
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P FORWARD ACCEPT
>
> #Specified chains creation
> $IPTABLES -N inet
> $IPTABLES -A INPUT -i $INET_IFACE -j inet
>
> #loopback paranoia
> $IPTABLES -A INPUT -i $LO_IFACE -s $INET_IP -j ACCEPT
> $IPTABLES -A INPUT -i lo -s \! localhost/8 -j REJECT
> $IPTABLES -A INPUT -s localhost -j ACCEPT
>
> #Restrictive rules
> $IPTABLES -A inet -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT
> $IPTABLES -A inet -p udp --dport ssh -j ACCEPT
> $IPTABLES -A inet -p udp --dport domain -j ACCEPT
> $IPTABLES -A inet -p udp --sport domain -j ACCEPT
> $IPTABLES -A inet -p tcp --dport domain -j ACCEPT
> $IPTABLES -A inet -p tcp --sport domain -j ACCEPT
> $IPTABLES -A inet -p tcp --dport http -j ACCEPT
> $IPTABLES -A inet -p udp --dport ntp -j ACCEPT
> $IPTABLES -A inet -p tcp --dport 21 -j ACCEPT
> $IPTABLES -A inet -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> #Kill other udp
> $IPTABLES -A inet -p udp -d $INET_IP -j REJECT
>
> #Kill other tcp
> $IPTABLES -A inet -p tcp --tcp-flags ALL SYN -d $INET_IP -j REJECT
>
>
> Что не так делаю? Заранее спасибо.
А в обратну сторону (для ответов) окрыть не хотите?
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Community mailing list
> Community@altlinux.ru
> https://lists.altlinux.ru/mailman/listinfo/community
--
Всего наилучшего,
Системный Администратор ЗАО "ИК "РИКОМ-ТРАСТ"
Алексей Морсов
http://www.ricom.ru
http://www.fondmarket.ru
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re[2]: [Comm] iptables+ftp
2004-06-04 9:03 ` Alexey Morsov
@ 2004-06-04 11:50 ` Nikita Semenov
2004-06-04 12:22 ` Alexander Vasiliev
0 siblings, 1 reply; 5+ messages in thread
From: Nikita Semenov @ 2004-06-04 11:50 UTC (permalink / raw)
To: Alexey Morsov
Friday, June 4, 2004, 1:03:34 PM, вы писали:
AM> Nikita Semenov wrote:
>> Здравствуйте. Второй день бъюсь, туплю, не могу открыть ftp. Вот
>> iptables:
>>
>> #!/bin/bash
>>
>> INET_IP="195.144.253.5"
>> INET_IFACE="eth0"
>> LO_IFACE="lo"
>> LO_IP="127.0.0.1"
>> IPTABLES="/sbin/iptables"
>>
>> #Flash All rules
>> $IPTABLES -F
>> $IPTABLES -X
>>
>> #Policies
>> $IPTABLES -P INPUT ACCEPT
>> $IPTABLES -P OUTPUT ACCEPT
>> $IPTABLES -P FORWARD ACCEPT
>>
>> #Specified chains creation
>> $IPTABLES -N inet
>> $IPTABLES -A INPUT -i $INET_IFACE -j inet
>>
>> #loopback paranoia
>> $IPTABLES -A INPUT -i $LO_IFACE -s $INET_IP -j ACCEPT
>> $IPTABLES -A INPUT -i lo -s \! localhost/8 -j REJECT
>> $IPTABLES -A INPUT -s localhost -j ACCEPT
>>
>> #Restrictive rules
>> $IPTABLES -A inet -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT
>> $IPTABLES -A inet -p udp --dport ssh -j ACCEPT
>> $IPTABLES -A inet -p udp --dport domain -j ACCEPT
>> $IPTABLES -A inet -p udp --sport domain -j ACCEPT
>> $IPTABLES -A inet -p tcp --dport domain -j ACCEPT
>> $IPTABLES -A inet -p tcp --sport domain -j ACCEPT
>> $IPTABLES -A inet -p tcp --dport http -j ACCEPT
>> $IPTABLES -A inet -p udp --dport ntp -j ACCEPT
>> $IPTABLES -A inet -p tcp --dport 21 -j ACCEPT
>> $IPTABLES -A inet -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> #Kill other udp
>> $IPTABLES -A inet -p udp -d $INET_IP -j REJECT
>>
>> #Kill other tcp
>> $IPTABLES -A inet -p tcp --tcp-flags ALL SYN -d $INET_IP -j REJECT
>>
>>
>> Что не так делаю? Заранее спасибо.
AM> А в обратну сторону (для ответов) окрыть не хотите?
> $IPTABLES -A inet -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
Этого разве не достаточно?
--
Best regards,
Nikita Semenov
System Administrator
InterStep
+7(812)324-8020
nikita@inter-step.ru
ICQ: 3939833
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Comm] iptables+ftp
2004-06-04 11:50 ` Re[2]: " Nikita Semenov
@ 2004-06-04 12:22 ` Alexander Vasiliev
2004-06-04 13:05 ` Re[2]: " Nikita Semenov
0 siblings, 1 reply; 5+ messages in thread
From: Alexander Vasiliev @ 2004-06-04 12:22 UTC (permalink / raw)
To: Alexey Morsov
On Fri, Jun 04, 2004 at 03:50:15PM +0400, Nikita Semenov wrote:
>
> > $IPTABLES -A inet -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
> Этого разве не достаточно?
>
Проверьте загружается ли модуль ip_conntrack_ftp?
--
Александр Васильев
ЗАО "Таском"
vav@tascom.ru
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re[2]: [Comm] iptables+ftp
2004-06-04 12:22 ` Alexander Vasiliev
@ 2004-06-04 13:05 ` Nikita Semenov
0 siblings, 0 replies; 5+ messages in thread
From: Nikita Semenov @ 2004-06-04 13:05 UTC (permalink / raw)
To: Alexander Vasiliev
Здравствуйте.
Спасибо, заработал.
Friday, June 4, 2004, 4:22:26 PM, вы писали:
AV> On Fri, Jun 04, 2004 at 03:50:15PM +0400, Nikita Semenov wrote:
>>
>> > $IPTABLES -A inet -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
>> Этого разве не достаточно?
>>
AV> Проверьте загружается ли модуль ip_conntrack_ftp?
AV> --
AV> Александр Васильев
AV> ЗАО "Таском"
AV> vav@tascom.ru
AV> _______________________________________________
AV> Community mailing list
AV> Community@altlinux.ru
AV> https://lists.altlinux.ru/mailman/listinfo/community
--
Best regards,
Nikita Semenov
System Administrator
InterStep
+7(812)324-8020
nikita@inter-step.ru
ICQ: 3939833
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-06-04 13:05 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-06-04 8:43 [Comm] iptables+ftp Nikita Semenov
2004-06-04 9:03 ` Alexey Morsov
2004-06-04 11:50 ` Re[2]: " Nikita Semenov
2004-06-04 12:22 ` Alexander Vasiliev
2004-06-04 13:05 ` Re[2]: " Nikita Semenov
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git