You are not logged in.

#1 2004-08-07 05:44:20

dk
Member
Registered: 2004-04-20
Posts: 106

iptables wget

I used the advice below to setup a firewall. I've noticed that I can not use wget to download anything from ftp servers.  To check I banged !iptables in /etc/rc.conf and wget will work with ftp sites. What do I add to iptables.rules to have wget work with ftp. Or this like asking how well a screendoor would work on a submarine :?
http://bbs.archlinux.org/viewtopic.php?t=2367

@leX wrote:

It's my simple solution for desktops.
1) Start your browser end make securety test in http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2
2) If iptables not installed

pacman -Sy iptables

else go to #3
3) Under root or su go to /etc/iptables

cd /etc/iptables/

4) copy simple_firewall.rules to iptables.rules

cp simple_firewall.rules iptables.rules

Note: IMXO file simple_firewall.rules contain basic predefined firewall rules
5) Add iptables to rc.config to DAEMONS section

DAEMONS = (SOMETHING iptables !SOMETHING)

6) Reboot your linux box.
7) Start your browser end make securety test in http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2 .
8) See the differents.

Offline

#2 2004-08-07 09:17:54

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: iptables wget

dk wrote:

Or this like asking how well a screendoor would work on a submarine :?

Kind of..
First off, ftp is a horrible protocol. Terrible, bad, bad...

ok..now onto the solution...
it depends on the ftp type of the server you are connecting to. Be it passive or active ftp
more info on that here: http://slacksite.com/other/ftp.html

basically, if you are on the client side of a passive ftp connection:
wget  --passive-ftp
then you can just use connection tracking in iptables and it should work...
/sbin/iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
the above inserts the rule into the input table as the first rule..you might want to adjust the location of insertion accordingly...

active ftp ....wow..i wish you luck..
wink

if you have need of active ftp, post again, and I will see if I can recall how to do that..


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2004-08-07 21:07:07

dk
Member
Registered: 2004-04-20
Posts: 106

Re: iptables wget

cactus thanks-

That did the trick. Thanks for the link...great info.


dk

Offline

#4 2004-08-07 21:34:59

IceRAM
Member
From: Bucharest, Romania
Registered: 2004-03-04
Posts: 772
Website

Re: iptables wget

Another solution to make FTP-active connections work through iptables:

in /etc/rc.conf

MODULES=(... ip_conntrack_ftp ...)

That should be enough. Use any ftp client in whatever mode you wish (active or passive).
It will keep your computer closed while ftp active connections are not established. Highly efficient smile

Offline

#5 2004-08-07 23:12:27

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,615
Website

Re: iptables wget

oooh..good one ice ram.  yikes
does it work server side as well, or is it client side specific?


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#6 2004-08-07 23:25:46

IceRAM
Member
From: Bucharest, Romania
Registered: 2004-03-04
Posts: 772
Website

Re: iptables wget

ip_conntrack_ftp:
On the client side it is required for active connections (if your default rule for the INPUT Chain is not ALLOW).
On the server side it is required for passive connections (if your default rule for the OUTPUT Chain is not ALLOW).

Conclusion: yes, it works on the server side too.
Extra info on ip_conntrack_ftp (this is quite recent in my mind): http://psi.affinix.com/forums/index.php … f=1&t=1940
(scam the topic, you'll find relevant info inside)

Offline

#7 2004-08-10 23:06:36

Michel
Member
From: Belgium
Registered: 2004-07-31
Posts: 286

Re: iptables wget

if you should use shorewall one day (or maybe your own script in /etc/rc.d or so ... ?)

Anywa shorewall has a file for this where you specify which modules to load at shorewall start-up:

/etc/shorewall/modules

the ftp,irc and another one I believe are present by default I believe.

Offline

Board footer

Powered by FluxBB