Toon posts:

[Iptables] FTP TLS connection time-out

Pagina: 1
Acties:

donderdag 26 augustus 2010 15:54

Acties:
  • UPPERKEES
  • Registratie: Maart 2007
  • Niet online

UPPERKEES

Topicstarter
Ik ben bezig met het opzetten van een FTP server op mijn Debian Testing desktop. Ik heb een iptable gemaakt. Ik heb rekening gehouden met de instellingen van proftpd.conf zoals Masquerading Address, Passive Ports en de gewoonlijke poort 21. In mijn iptables heb ik deze poorten samen met poort 20 geopend. In de firewall van mijn router staan dezelfde poorten open. Voordat ik met iptables begon werkte alles prima met TLS en zonder.

Toch gaat het met het connecten fout hierna:
code:
1
2
3
4

Response:   234 AUTH TLS successful
Status: Initializing TLS...
Error:  Connection timed out
Error:  Could not connect to server


Dit is mijn iptables configuratie, tips voor FTP zijn van harte welkom maar ook andere tips voor mijn iptables want volgens mij is hij nogal basic.

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
 -A INPUT   -i lo -j ACCEPT
 -A INPUT   ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
 -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
 -A OUTPUT  -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere
 -A INPUT   -p tcp --dport 80 -j ACCEPT
 -A INPUT   -p tcp --dport 443 -j ACCEPT

# Allows FTP connections from anywhere
# The passive ports are also set up
 -A INPUT   -p tcp -m tcp --dport 20:21 -j ACCEPT
 -A INPUT   -p tcp -m tcp --dport 60000:65534 -j ACCEPT  

# Allows SSH connections from anywhere
 -A INPUT   -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
 -A INPUT   -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
 -A INPUT   -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
 -A INPUT   -j REJECT
 -A FORWARD     -j REJECT

COMMIT

donderdag 26 augustus 2010 16:07

Acties:
  • DiedX
  • Registratie: December 2000
  • Laatst online: 10:27

DiedX

Wat denk je van dmesg? Staat zelfs in je config :)

DiedX supports the Roland™, Sound Blaster™ and Ad Lib™ sound cards

donderdag 26 augustus 2010 16:17

Acties:
  • UPPERKEES
  • Registratie: Maart 2007
  • Niet online

UPPERKEES

Topicstarter
Dit staat er in, volgens mij niets nuttigs. Rebooted en gelijk Filezilla gestart.
code:
1
2
3
4
5
6
7
8
9
10

[   34.227295] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=260 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=240 
[   34.478548] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=260 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=240 
[   34.728103] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=260 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=240 
[   34.928950] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=242 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=222 
[  158.641326] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52 
[  159.641692] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52 
[  161.642735] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52 
[  189.610276] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52 
[  190.611478] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52 
[  192.613933] iptables denied: IN=eth0 OUT= MAC= SRC=192.168.1.33 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52

donderdag 26 augustus 2010 18:20

Acties:
  • UPPERKEES
  • Registratie: Maart 2007
  • Niet online

UPPERKEES

Topicstarter
Ik er even een boek bij gepakt genaamd 'Linux Firewalls Attack Detection and Response with Iptables, PSAD and Fwsnort' en daar heb ik nu wat meer geleerd over Iptables. Mijn config ziet er nu zo uit, maar werkt nog steeds niet. Connection is nu bij het begin al gelijk een time-out...

code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

#!/bin/sh
IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=192.168.1.32/28
### Flush existing rules and set chain policy setting to DROP
echo "[+] Flushing existing iptables rules..."
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
### Load connection-tracking modules
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

###### INPUT chain ######
echo "[+] Setting up INPUT chain..."
### State tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### Anti-spoofing rules
$IPTABLES -A INPUT ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT " 
$IPTABLES -A INPUT ! -s $INT_NET -j DROP

### ACCEPT/REJECT rules
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $INT_NET --dport 60000:65534 --syn -m state --state NEW -j ACCEPT
### Default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### OUTPUT chain ######
echo "[+] Setting up OUTPUT chain..."
### State tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp --dport 20 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 1863 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 5222 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 51413 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 51413 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
### Default OUTPUT LOG rule
$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### FORWARD chain ######
echo "[+] Setting up FORWARD chain..."
### State tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
### Anti-spoofing rules
$IPTABLES -A FORWARD ! -s $INT_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A FORWARD ! -s $INT_NET -j DROP
### ACCEPT rules
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $INT_NET --dport 20 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $INT_NET --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $INT_NET --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $INT_NET --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $INT_NET --dport 4321 --syn -m state --state NEW -j ACCEPT
### Default FORWARD LOG rule
$IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### NAT rules ######
echo "[+] Setting up NAT rules..."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.46:80
$IPTABLES -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 192.168.1.46:443
$IPTABLES -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to 192.168.1.46:53
$IPTABLES -t nat -A POSTROUTING -s $INT_NET -j MASQUERADE

###### Forwarding ######
echo "[+] Enabling IP forwarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward

[ Voor 17% gewijzigd door UPPERKEES op 26-08-2010 22:58 ]

donderdag 26 augustus 2010 18:58

Acties:
  • UPPERKEES
  • Registratie: Maart 2007
  • Niet online

UPPERKEES

Topicstarter
Met nmap vanaf mijn laptop is ftp-data port 20 gesloten... Terwijl hij in iptables wel open staat.
Reageer

Apple iPhone 17 LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2026 Hosting door TrueFullstaq