This is the setup I want: Allow connections to port 21, running proFTPd, on my ftp I want all read-only directories except for one upload folder. How do I allow this?

right now, this is my iptables firewall, I can recv and send DCC files, and I can host an Unreal server (game) on port 7777..


#!/bin/sh

# Simple $IPTABLES based firewall script
#
# Anything-goes on local network
# Local can connect to anywhere on the internet
# Only accept connections to ident, FTP and Xchat DCC
#
#

# Some variables
IPTABLES='/usr/sbin/iptables'
MODPROBE='/sbin/modprobe'

IDENT_PORT=113
FTP_PORT=21
DCC_PORT_RANGE=5000:5010

LAN_RANGE=192.168.1.0/24




if [ "$1" = 'reset' ]
then
echo -n \* Restoring iptables default settings...
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
echo success
exit 0
fi



# Load modules
$MODPROBE ipt_conntrack
$MODPROBE ipt_state

# Flush chains
$IPTABLES -F

# Clear any previously user-defined chains
$IPTABLES -X

# Default policy for each chain
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


# User-defined chains
$IPTABLES -N allowed
$IPTABLES -N TCP_chain
$IPTABLES -N UDP_chain
$IPTABLES -N ICMP_chain

# Rules for allowed user-defined chain
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# Rules for TCP user-defined chain
$IPTABLES -A TCP_chain -p TCP --dport $IDENT_PORT -j allowed
$IPTABLES -A TCP_chain -p TCP --dport $FTP_PORT -j allowed
$IPTABLES -A TCP_chain -p TCP --dport $DCC_PORT_RANGE -j allowed

# Rules for UDP user-defined chain
$IPTABLES -A UDP_chain -p UDP --dport 7777 -j ACCEPT

# Rules for ICMP user-defined chain
$IPTABLES -A ICMP_chain -p ICMP --icmp-type 8 -j DROP # Don't allow pings
$IPTABLES -A ICMP_chain -p ICMP --icmp-type 0 -j ACCEPT # Accept reply if we sent a ping

# Error messages to accept
$IPTABLES -A ICMP_chain -p ICMP --icmp-type 3 -j ACCEPT
$IPTABLES -A ICMP_chain -p ICMP --icmp-type 11 -j ACCEPT
$IPTABLES -A ICMP_chain -p ICMP -j DROP



# INPUT chain

# Rules for LAN
$IPTABLES -A INPUT -p ALL -d localhost -j ACCEPT
$IPTABLES -A INPUT -p ALL -d 192.168.1.6 -j ACCEPT

# Rules for packets coming from the internet
$IPTABLES -A INPUT -p ALL -d My_internet_ip -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -j TCP_chain
$IPTABLES -A INPUT -p UDP -j UDP_chain
$IPTABLES -A INPUT -p ICMP -j ICMP_chain



# OUTPUT chain

# Allow anything from me to me
$IPTABLES -A OUTPUT -p ALL -s localhost -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_RANGE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s My_internet_ip -j ACCEPT


I can connect to the ftp server but typing 'ls' or 'dir' just times out..

Another question, how do I kick/ban someone who is downloading from my ftp?

ip_conntrack_ftp need to be loaded in your modules

Another question, how do I kick/ban someone who is downloading from my ftp?

Make your site password accessabile only.

ip_conntrack_ftp need to be loaded in your modules

When I try loading it, I get 'modprobe: Can't locate module ipt_conntrack_ftp', I am on Slackware 9.1


Originally posted by JohnT
Make your site password accessabile only.

It is already, but there are still times when I want to kick and/or ban someone.

You need to load iptables.

(sorry I am new)

How? I thought it was already loaded because I can use it and I can load other ipt_* modules except for ipt_conntrack_ftp..

post the output of " lsmod " Maybe its compile into the kernel or not at all, is it in the /lib/modules/2.4.<ver>/kernel/net/ipv4/netfilter directory?

You may have a config<ver> file in the /boot directory, it has the compile options used for your kernel.. Have a look in it for the options used.
sample:
#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_LIMIT=m

Mine are modules, yours are what? Post that section if your unsure
Did you compile your own kernel?

root@zanarkand:/boot# lsmod
Module Size Used by Tainted: P
nvidia 1628576 11 (autoclean)
snd-pcm-oss 37092 0
snd-mixer-oss 12016 1 [snd-pcm-oss]
keybdev 1952 0 (unused)
mousedev 4244 1
hid 21156 0 (unused)
usbmouse 2008 0 (unused)
input 3200 0 [keybdev mousedev hid usbmouse]
snd-emu10k1 60916 1
snd-pcm 56064 0 [snd-pcm-oss snd-emu10k1]
snd-timer 13444 0 [snd-pcm]
snd-hwdep 4864 0 [snd-emu10k1]
snd-util-mem 1136 0 [snd-emu10k1]
snd-page-alloc 6004 0 [snd-emu10k1 snd-pcm]
snd-rawmidi 12640 0 [snd-emu10k1]
snd-seq-device 3904 0 [snd-emu10k1 snd-rawmidi]
snd-ac97-codec 38264 0 [snd-emu10k1]
snd 29956 0 [snd-pcm-oss snd-mixer-oss snd-emu10k1 snd-pcm snd-timer snd-hwdep snd-util-mem snd-rawmidi snd-seq-device snd-ac97-codec]
soundcore 3332 8 [snd]
emu10k1-gp 1352 0 (unused)
gameport 1452 0 [emu10k1-gp]
ohci1394 24200 0 (unused)
ieee1394 42436 0 [ohci1394]
8139too 15240 1
mii 2304 0 [8139too]
crc32 2880 0 [8139too]
uhci 24496 0 (unused)
usbcore 58400 1 [hid usbmouse uhci]
pcmcia_core 40032 0
ide-scsi 9424 0
agpgart 39576 3


I see ip_conntrack_ftp.o.gz in /lib/modules/2.4.22/kernel/net/ipv4/netfilter/

I am using the default kernel from the installation (slackware9.1), my /boot/config file starts out the same as your sample.

---------mine-------
[root@jerry1 jerry]# /sbin/lsmod
Module Size Used by Tainted: P
ppp_async 8320 0 (autoclean)
ppp_generic 24908 0 (autoclean) [ppp_async]
slhc 6220 0 (autoclean) [ppp_generic]
nls_cp437 5088 0 (autoclean)
vfat 11388 0 (autoclean)
fat 36312 0 (autoclean) [vfat]
cramfs 38272 0 (autoclean)
sg 32356 0 (autoclean)
loop 10896 18 (autoclean)
nls_iso8859-1 3456 7 (autoclean)
sis900 14372 1
sr_mod 16248 4 (autoclean)
soundcore 6372 0 (autoclean)
sis 54400 1
sisfb 135668 0 [sis]
agpgart 37888 3
nfsd 74240 8 (autoclean)
lockd 55168 1 (autoclean) [nfsd]
sunrpc 73364 1 (autoclean) [nfsd lockd]
ptserial 54432 0 (autoclean)
pctel 759792 0 (autoclean) [ptserial]
autofs 11684 0 (autoclean) (unused)
ipt_TOS 1824 0 (autoclean)
ipt_MASQUERADE 2720 0 (autoclean)
ipt_LOG 4544 0 (autoclean)
ipt_REJECT 3840 0 (autoclean)
ipt_state 1376 0 (autoclean)
iptable_mangle 2976 0 (autoclean)
ip_nat_irc 3904 0 (unused)
ip_nat_ftp 4608 0 (unused)
iptable_nat 24500 2 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc 3840 0 [ip_nat_irc]
ip_conntrack_ftp 4992 0 [ip_nat_ftp]
ip_conntrack 26220 4 [ipt_MASQUERADE ipt_state ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 2592 0 (autoclean)
ip_tables 15776 10 [ipt_TOS ipt_MASQUERADE ipt_LOG ipt_REJECT ipt_state iptable_mangle iptable_nat iptable_filter]
ide-scsi 9280 2
scsi_mod 105648 3 [sg sr_mod ide-scsi]
ide-cd 29856 1
cdrom 33184 0 [sr_mod ide-cd]
---------------------
I don't see any iptable modules in yours. The modules need to be loaded in a certain order, JohnT nailed it, you don't have the basics covered...

Okay I loaded conntrack_ftp, now - Users can connect to the FTP but still the same problem, they can not list files (localhost works).. do I need to do anything besides just loading conntrack_ftp?

lsmod shows:

Module Size Used by Tainted: P
ip_conntrack_ftp 3856 0 (unused)
ipt_LOG 3384 0 (unused)
iptable_filter 1644 1 (autoclean)
ipt_state 536 2
ipt_conntrack 1112 0 (unused)
ip_conntrack 18120 3 [ip_conntrack_ftp ipt_state ipt_conntrack]
ip_tables 12288 4 [ipt_LOG iptable_filter ipt_state ipt_conntrack]


What does the (unused) mean? might that be part of the problem?

Where are your clients testing from, the private lan? or the internet?
If from the private lan you'll need to load ip_nat_ftp as the traffic needs to be masq'd before it reaches the public ip...

With the policy of drop on the output chain you may need to allow port 20 outbound.... As a quick test change the output policy to accept and retest, if that fixes the issue, then you'll ned to add some more rules, but lets test first.... OK.

I forwarded port 20 and added to allow --dport 20 in the TCP_CHAIN.

# Rules for TCP user-defined chain
$IPTABLES -A TCP_chain -p TCP --dport $IDENT_PORT -j allowed
$IPTABLES -A TCP_chain -p TCP --dport $FTP_PORT -j allowed
$IPTABLES -A TCP_chain -p TCP --dport $DCC_PORT_RANGE -j allowed
$IPTABLES -A TCP_chain -p TCP --dport 20 -j allowed

I am testing it using a remote shell.., works perfectly on from localhost or without using iptables.

Anyone?

lsmod shows this:

Module Size Used by Tainted: P
iptable_filter 1644 1 (autoclean)
ip_conntrack_ftp 3856 0 (unused)
ipt_state 536 2
ipt_LOG 3384 0 (unused)
ipt_conntrack 1112 0 (unused)
ip_conntrack 18120 3 [ip_conntrack_ftp ipt_state ipt_conntrack]
ip_tables 12288 4 [iptable_filter ipt_state ipt_LOG ipt_conntrack]


I am NOT using the default FTP port.., but the port I am using (606), I am forwarding through my router.., I can access the ftp fine from localhost, or from another computer on the network using the LAN address (192.168.1.x).. but the other computers on the network can not access the ftp using the networks external address.

Putting this line
$IPTABLES -A INPUT -p ALL -j ACCEPT
makes the FTP work, so I am sure it's a problem with my configuration of iptables.

Having known you have this on a non-standard port would of been nice to know up front. To run ftp on a different port, you need to tell the ip_conntrack_ftp module about which port you want to use.

rmmod ip_nat_ftp; rmmod ip_conntrack_ftp
insmod ip_conntrack_ftp ports=21,606
insmod ip_nat_ftp ports=21,606

To make that automatic edit /etc/modules
options ip_conntrack_ftp ports=21,606
options ip_nat_ftp ports=21,606

Just to get this straight, your forwarding port 21 at the router to port 606 on the ftp server? or the other way around 606 to 21?

It works on default port, sweet.

anyway - On my router I have "606 606" for range port forwarding..

and on /etc/inetd.conf I have this line:
myftpd stream tcp nowait root /usr/sbin/tcpd proftpd

myftpd is this line in /etc/services:
MyFTPd 606/tcp

Did I miss anything? It doesn't seem to work with ports=21,606 for nat_ftp and conntrack_ftp

Sounds like your router doesn't know 606 is for ftp, which requires special handling.