[oclug] Got the linux proxy to work...but still would like
he lp
Tom Cruickshank
tcruicksh at softhome.net
Tue Apr 17 23:35:20 EDT 2001
Hello,
I apologize for not having sent the firewall rules sooner.
:input DENY
:forward ACCEPT
:output ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i eth1 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT
-A input -s 10.100.100.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -i eth0 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 1024:5999 -i eth0 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 80:80 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 1220:1220 -i eth0 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 554:554 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 7070:7070 -i eth0 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 23:23 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 6002:65535 -i eth0 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 1024:65535 -i eth0 -p 17 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 53:53 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 22:22 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 20:20 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 67:68 -i eth0 -p 17 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 1020:1024 -i eth0 -p 17 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 1503:1503 -i eth0 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 1720:1720 -i eth0 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 1731:1731 -i eth0 -p 6 -j
ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 113:113 -i eth0 -p 6 -j ACCEPT
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2049:2049 -i eth0 -p 6 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 2049:2049 -i eth0 -p 17 -j DENY
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 25:25 -i eth0 -p 6 -j ACCEPT
-A forward -s 10.100.100.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
Ps: I have absolutely no problems ftping to my server.
Tom
At 08:49 AM 4/17/01 -0400, you wrote:
>Tom:
>
>Michael's right the money, your firewall rules would really help diagnose
>your problems. As far as the ssh problem, it is usually a ipchains rule
>issue that prevents connections. Most ipchains default rules prevent
>connections to/from priviledged ports on the firewall/proxy by default, and
>many ssh servers will try to connect to ports 1023 and down a few (depending
>on number of simultaneous connections required). 1024 and below are
>priviledged ports, and must be explicitly opened for traffic.
>
>The following ADDITIONAL ssh rules should help:
>
>SSH_PORTS = "1020:1023" # four concurrent outbound ssh sessions
>allowed
>ANYWHERE = "any/0" # 0.0.0.0/0
>EXTIF = "eth0" # modify as needed
>IPADDR = "your.ext.ip.addr" # available via ifconfig / sed / awk
>
># ssh priviledged port response packets
>/sbin/ipchains -a input -i $EXTIF -p tcp ! y \
> -s $ANYWHERE 22 \
> -d $IPADDR $SSH_PORTS -j ACCEPT
>
># ssh priviledged port request packets
>/sbin/ipchains -a output -i $EXTIF -p tcp \
> -s $IPADDR $SSH_PORTS \
> -d $ANYWHERE 22 -j ACCEPT
>
>Since typical firewall ipchains rules do not prevent priviledged port
>connections to internal machines by default, ssh works on internal machines.
>
>As far as the FTP issues go, with effort you can configure the firewall to
>allow active mode FTP - but you may not want to for security reasons.
>Michael's right about the passive mode setting - it will work fine. You DO
>have ip_masq_ftp.o module enabled, don't you? Passive mode is more secure
>and simpler to configure.
>
>--
>Bill Strosberg
>_______________________________________________
>oclug mailing list
>oclug at lists.oclug.on.ca
>http://www.oclug.on.ca/mailman/listinfo/oclug
More information about the OCLUG
mailing list