Results 1 to 8 of 8

Thread: Anyone an expert in iptables?

  1. #1
    Elite Master Razor's Avatar
    Join Date
    21.07.08
    Location
    Bucharest, Romania
    Posts
    1,228
    Activity Longevity
    11/20 18/20
    Today Posts
    1/5 sssss1228

    Anyone an expert in iptables?

    I'm trying to set up iptables to open FTP access but for some reason it doesn't work.
    I cannot connect to my computer's FTP behind my router from an external location. Port testing always shows it is closed.

    I'm using OpenWRT 12.09-beta r33312 if it matters.

    Full output of /etc/firewall.user
    Code:
    # This file is interpreted as shell script.
    # Put your custom iptables rules here, they will
    # be executed with each firewall (re-)start.
    
    iptables -N ACCEPT_TCP_UDP
      iptables -A ACCEPT_TCP_UDP -p tcp -j ACCEPT
        iptables -A ACCEPT_TCP_UDP -p udp -j ACCEPT
    
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    
    
    
    
    # Allow anything on local loopback link
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # Allow anything on local loopback link
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A OUTPUT -o lo -j ACCEPT
    
    # Allow TCP
    iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
    
    # Allow SSH
    iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED --dport 22 -j ACCEPT
    
    # Allow FTP
    iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20:65535 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

    Also looking for any tips for securing my router if you can give any, via iptables of course.

    Thank you!
    Last edited by Instab; 22.04.17 at 16:07. Reason: title fix
    Reply With QuoteReply With Quote
    Thanks

  2. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    32,966
    Activity Longevity
    13/20 19/20
    Today Posts
    1/5 ssss32966
    Firstly, /etc/firewall.user is for special needs that can't be covered by /etc/config/firewall, you shouldn't use it as a general-purpose rule list.

    Secondly, I flashed the exact same build you're using in a spare TL-MR3020 router, and all I needed to do to get FTP working was adding these two rules (10.0.0.2 is the LAN address of the computer running the server):

    Code:
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 21 -j ACCEPT
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20 -j ACCEPT
    The /etc/network/firewall equivalent of that would be as follows, and if you have LuCI installed, you can add them via Network -> Firewall -> Port Forwards.

    Code:
    config redirect
            option target 'DNAT'
            option src 'wan'
            option dest 'lan'
            option proto 'tcp'
            option src_dport '21'
            option dest_ip '10.0.0.2'
            option dest_port '21'
            option name 'FTP'
    
    config redirect
            option target 'DNAT'
            option src 'wan'
            option dest 'lan'
            option proto 'tcp'
            option src_dport '20'
            option dest_ip '10.0.0.2'
            option dest_port '20'
            option name 'FTP data'
    If it still doesn't work, make sure you've got the FTP module for netfilter (which does layer 7 NAT and dynamically forwards ports for passive mode) up and running:

    Code:
    root@OpenWrt:/# lsmod | grep ftp
    nf_nat_ftp               976  0
    nf_conntrack_ftp        4416  1 nf_nat_ftp
    nf_nat                 10256  4 nf_nat_irc,nf_nat_ftp,ipt_MASQUERADE,iptable_nat
    nf_conntrack           38208 12 nf_nat_irc,nf_conntrack_irc,nf_nat_ftp,nf_conntrack_ftp,ipt_MASQUERADE,iptable_nat,nf_nat,xt_conntrack,xt_CT,xt_NOTRACK,xt_state,nf_conntrack_ipv4
    With regards to security, the old advice "only open the ports you really need" is good, and port knocking is an interesting idea to add an extra layer of protection.
    (2412 - 2484 @ 40), (27)
    (5180 - 5865 @ 40), (15)
    Reply With QuoteReply With Quote
    Thanks

  3. Who Said Thanks:

    Master Razor (24.04.17)

  4. #3
    Moderator
    Instab's Avatar
    Join Date
    17.09.09
    Posts
    6,476
    Activity Longevity
    7/20 15/20
    Today Posts
    0/5 sssss6476
    Quote Originally Posted by anon View Post
    Code:
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 21 -j ACCEPT
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20 -j ACCEPT
    this has no effect unless you have another rule down below that actually handles the "zone_wan_forward" entries. it also requires that all outgoing traffic is allowed.
    further you can combine this to a single rule:
    Code:
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20:21 -j ACCEPT

    and as a last one i changed the topic name because this is general linux stuff i.e. not related to OpenWRT in particular.
    Your account has been disabled.
    Reply With QuoteReply With Quote
    Thanks

  5. Who Said Thanks:

    Master Razor (24.04.17) , anon (22.04.17)

  6. #4
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    32,966
    Activity Longevity
    13/20 19/20
    Today Posts
    1/5 ssss32966
    Quote Originally Posted by Instab View Post
    this has no effect unless you have another rule down below that actually handles the "zone_wan_forward" entries. it also requires that all outgoing traffic is allowed.
    OpenWrt takes care of both by default.

    further you can combine this to a single rule:
    Good point, thanks.
    (2412 - 2484 @ 40), (27)
    (5180 - 5865 @ 40), (15)
    Reply With QuoteReply With Quote
    Thanks

  7. Who Said Thanks:

    Master Razor (24.04.17)

  8. #5
    Elite Master Razor's Avatar
    Join Date
    21.07.08
    Location
    Bucharest, Romania
    Posts
    1,228
    Activity Longevity
    11/20 18/20
    Today Posts
    1/5 sssss1228
    It works! Thank you so much!

    I've always thought iptables were in the form of
    Code:
    iptables -A zone_wan_forward -d 10.0.0.2/32 -p tcp -m tcp --dport 20:21 -j ACCEPT
    What is this kind of config called? Is it only used by openWRT? I've never seen it anywhere else.
    Code:
    config redirect
            option target 'DNAT'
            option src 'wan'
            option dest 'lan'
            option proto 'tcp'
            option src_dport '21'
            option dest_ip '10.0.0.2'
            option dest_port '21'
            option name 'FTP'
    
    config redirect
            option target 'DNAT'
            option src 'wan'
            option dest 'lan'
            option proto 'tcp'
            option src_dport '20'
            option dest_ip '10.0.0.2'
            option dest_port '20'
            option name 'FTP data'
    Also, regarding the /etc/firewall.user file, should be empty? I don't remember what entries were default and what were added by me.
    Reply With QuoteReply With Quote
    Thanks

  9. #6
    Elite Master Razor's Avatar
    Join Date
    21.07.08
    Location
    Bucharest, Romania
    Posts
    1,228
    Activity Longevity
    11/20 18/20
    Today Posts
    1/5 sssss1228
    I'd like to ask, if I open a port in a firewall but no application is listening on that port, is it still considered open? From what I know a port is open when is opened in the firewall and an application listens on the port.
    Reply With QuoteReply With Quote
    Thanks

  10. #7
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    32,966
    Activity Longevity
    13/20 19/20
    Today Posts
    1/5 ssss32966
    Quote Originally Posted by Master Razor View Post
    What is this kind of config called? Is it only used by openWRT? I've never seen it anywhere else.
    It's a UCI configuration file.

    https://wiki.openwrt.org/doc/uci

    When combined with LuCI, it makes it much friendlier to set up the firewall. Knowing iptables' syntax has its benefits, of course, if you need to script rules (e.g. for port knocking) or create temporary ones.

    Also, regarding the /etc/firewall.user file, should be empty? I don't remember what entries were default and what were added by me.
    It's empty by default (besides the comments at the top).

    Quote Originally Posted by Master Razor View Post
    I'd like to ask, if I open a port in a firewall but no application is listening on that port, is it still considered open? From what I know a port is open when is opened in the firewall and an application listens on the port.
    Seen from the outside, your ports can have three possible states:
    • open: connection attempts are successful.
    • closed: connection attempts fail, and an ICMP message saying the port is closed is received.
    • unknown: connection attempts fail, and no reply whatsoever is received. Indistinguishable from connecting to a non-forwarded port or an offline host.

    With the port forwarding in place, if your FTP server is running, the ports will be seen as open. If it's not, they'll be seen as unknown. Making them explicitly show up as closed requires some iptables rule that does -j DROP, but for an Internet-facing server, unknown is always the best choice. The less information you give potential attackers, the better.

    Two more security tips:
    • in OpenWrt, uhttpd and dropbear bind to all interfaces by default, which makes them reachable from the outside(!). Make sure to make them bind to the LAN interface only if you haven't done so already.
    • set up a firewall rule to discard ICMP echo requests (ping) received in the WAN interface.
    (2412 - 2484 @ 40), (27)
    (5180 - 5865 @ 40), (15)
    Reply With QuoteReply With Quote
    Thanks

  11. Who Said Thanks:

    Master Razor (Today)

  12. #8
    Elite Master Razor's Avatar
    Join Date
    21.07.08
    Location
    Bucharest, Romania
    Posts
    1,228
    Activity Longevity
    11/20 18/20
    Today Posts
    1/5 sssss1228
    New issue... Is there any way to disable a rule/redirect in /etc/config/firewall ?
    I tried for redirects:

    option config forward '0'
    This does not output any error but leaves port open

    option enabled '0'
    This outpouts the error "Error: redirect : target must be either DNAT or SNAT, skipping" but seems like it is closing the port "

    Any ideas?
    Whenever you find yourself on the side of the majority, it is time to pause and reflect. - Mark Twain.
    ... and since I can remember, I've always been different that others, and I've never been on the majority side.
    I am the one and only Master Razor... lost in a world of billions of people.
    Reply With QuoteReply With Quote
    Thanks

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125