(linux-br) Iptables - ftp somente passivo !

[Mauri Ferrandin]

Pessoal !

Tenho este script de firewall, mas estou tendo problemas com ftp, s� consigo no modo passivo, gostaria que algu�m desse um look. J� tentei de tudo e nada. O que pude notar � que tudo para quando o cliente e o server passam a usar porta diferente da 21.


Abaixo meu script de firewall, os logs, e os m�dulos que est�o carregados.

######## inicio script #######
# Programa iptables
IPTABLES=/usr/sbin/iptables

TABAJARANET=192.168.1.0/24
TABAJARANETGW=192.168.1.254

INTGW=200.135.231.250
INTNET=200.135.231.0/24

ALL=0.0.0.0/0

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set default policies for packet entering this box
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP

# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

## Faz o Nats
$IPTABLES -t nat -A POSTROUTING -o eth1 -s $LABNET -j SNAT --to $INTGW
$IPTABLES -t nat -A POSTROUTING -o eth1 -s $TABAJARANET -d ! $INTNET -j SNAT --to $INTGW

## Faz nat do que sai pra porta 25
$IPTABLES -t nat -A POSTROUTING -p tcp -o eth1 -s $TABAJARANET -d $INTNET --dport 25 -j SNAT --to $INTGW
$IPTABLES -t nat -A POSTROUTING -p tcp -o eth1 -s $SEGNET -d $INTNET --dport 25 -j SNAT --to $INTGW


# ===============
$IPTABLES -N fdp
$IPTABLES -A fdp -p tcp -s $TABAJARANET --sport 1024: --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A fdp -p tcp -d $TABAJARANET --sport 21 --dport 1024: -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A fdp -p tcp -d $TABAJARANET --sport 20 --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A fdp -p tcp -s $TABAJARANET --sport 1024: --dport 20 -m state --state ESTABLISHED -j ACCEPT

#====================


# Aplica as chains as defchains

$IPTABLES -A FORWARD -j fdp
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FW packet died: "

$IPTABLES -A INPUT -j fdp
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT IN packet died: "
########### fim do firewall


########## logs de um tentativa de ftp apartir do netscape entre 192.168.1.245 e o ftp server 200.135.231.233 ##################
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9344 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth1 OUT=eth3 SRC=200.135.231.233 DST=192.168.1.245 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=21 DPT=32838 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=9345 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth1 OUT=eth3 SRC=200.135.231.233 DST=192.168.1.245 LEN=116 TOS=0x00 PREC=0x00 TTL=63 ID=45985 DF PROTO=TCP SPT=21 DPT=32838 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=9346 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=9347 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth1 OUT=eth3 SRC=200.135.231.233 DST=192.168.1.245 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45986 DF PROTO=TCP SPT=21 DPT=32838 WINDOW=5792 RES=0x00 ACK URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth1 OUT=eth3 SRC=200.135.231.233 DST=192.168.1.245 LEN=120 TOS=0x00 PREC=0x00 TTL=63 ID=45987 DF PROTO=TCP SPT=21 DPT=32838 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=9348 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=78 TOS=0x00 PREC=0x00 TTL=63 ID=9349 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth1 OUT=eth3 SRC=200.135.231.233 DST=192.168.1.245 LEN=100 TOS=0x00 PREC=0x00 TTL=63 ID=45988 DF PROTO=TCP SPT=21 DPT=32838 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=9350 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth1 OUT=eth3 SRC=200.135.231.233 DST=192.168.1.245 LEN=71 TOS=0x00 PREC=0x00 TTL=63 ID=45989 DF PROTO=TCP SPT=21 DPT=32838 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=57 TOS=0x00 PREC=0x00 TTL=63 ID=9351 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth1 OUT=eth3 SRC=200.135.231.233 DST=192.168.1.245 LEN=83 TOS=0x00 PREC=0x00 TTL=63 ID=45990 DF PROTO=TCP SPT=21 DPT=32838 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9352 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth1 OUT=eth3 SRC=200.135.231.233 DST=192.168.1.245 LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=45991 DF PROTO=TCP SPT=21 DPT=32838 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=58 TOS=0x00 PREC=0x00 TTL=63 ID=9353 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth1 OUT=eth3 SRC=200.135.231.233 DST=192.168.1.245 LEN=105 TOS=0x00 PREC=0x00 TTL=63 ID=45992 DF PROTO=TCP SPT=21 DPT=32838 WINDOW=5792 RES=0x00 ACK PSH URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=27244 DF PROTO=TCP SPT=32839 DPT=44923 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 22:39:22 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=9354 DF PROTO=TCP SPT=32838 DPT=21 WINDOW=5840 RES=0x00 ACK URGP=0
Oct 24 22:39:25 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=27245 DF PROTO=TCP SPT=32839 DPT=44923 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 22:39:31 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=27246 DF PROTO=TCP SPT=32839 DPT=44923 WINDOW=5840 RES=0x00 SYN URGP=0
Oct 24 22:39:43 IronMaden kernel: IN=eth3 OUT=eth1 SRC=192.168.1.245 DST=200.135.231.233 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=27247 DF PROTO=TCP SPT=32839 DPT=44923 WINDOW=5840 RES=0x00 SYN URGP=0
########## fim dos logs ##################

########## modulos carregados ##################
root@IronMaden /root/firewall > lsmod
Module Size Used by Not tainted
ipt_limit 960 2 (autoclean)
ip_conntrack_irc 2432 0 (unused)
ipt_REJECT 2784 0 (unused)
ipt_MASQUERADE 1216 0
ip_nat_irc 2336 0 (unused)
ip_nat_ftp 2912 0 (unused)
ip_conntrack_ftp 3168 0 (unused)
iptable_mangle 2144 0 (autoclean) (unused)
ipt_state 608 7 (autoclean)
iptable_nat 12756 3 (autoclean) [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack 12780 4 (autoclean) [ip_conntrack_irc ipt_MASQUERADE ip_nat_irc ip_nat_ftp ip_conntrack_ftp ipt_state iptable_nat]
ipt_LOG 3104 10 (autoclean)
iptable_filter 1728 1 (autoclean)
ip_tables 10304 10 [ipt_limit ipt_REJECT ipt_MASQUERADE iptable_mangle ipt_state iptable_nat ipt_LOG iptable_filter]
8139too 13440 2 (autoclean)
mii 1088 0 (autoclean) [8139too]
eepro100 17104 1 (autoclean)
3c59x 24968 1 (autoclean)
agpgart 29696 0 (unused)
supermount 57476 2 (autoclean)
loop 7984 0 (autoclean)
lvm-mod 44224 0
usb-uhci 21092 0 (unused)
usbcore 48320 1 [usb-uhci]
ext3 59680 2
jbd 42804 2 [ext3]

--
===========================================================================================================
Professor Mauri Ferrandin - [EMAIL PROTECTED] N�cleo de Inform�tica UNERJ - Centro Universit�rio de Jaragu� do Sul - SC - Brazil
Linux registred user #121834

"E quando todos praguejavam contra o windows, eu usava linux na varanda !"



Assinantes em 24/10/2002: 2227
Mensagens recebidas desde 07/01/1999: 187976
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista: mailto:linux-br-owner@;bazar.conectiva.com.br