Solved

Check my rc.firewall

Posted on 2004-10-10
11
456 Views
Last Modified: 2010-04-22
Can you guyz check either my firewall script below is correct?...i mean how about the structure? is the structure correct?...thanks


#!/bin/sh

# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface you will be protecting. For ADSL/dialup users,
# ppp0 should be fine. If you are using a cable internet connection or
# are connected to a LAN, you will have to change this to "eth0".
INT="212.111.124.210" <- my static ip

# The following rules will clear out any existing firewall rules,
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# The following line below enables IP forwarding and thus
# by extension, NAT. Turn this on if you're going to be
# doing NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the $INT (external)
# interface to be the given IP. If you have a dynamic IP
# address or a DHCP IP that changes semi-regularly, comment out
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.
#
$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 212.111.124.210
#$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE


# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

# If you would like to forward specific ports to other machines
# on your home network, edit and uncomment the rules below. They are
# currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51.
# Anything incoming over your $INT through your gateway will
# be automatically redirected invisibly to port 25 & 53 on 10.1.1.51

$IPT -t nat -A PREROUTING -p tcp -i $INT --dport 3000 -j DNAT --to-destination 212.111.124.210
$IPT -t nat -A PREROUTING -p tcp -i $INT --dport 21 -j DNAT --to-destination 212.111.124.210

$IPT -t nat -A POSTROUTING -o $INT -s 212.111.124.210 -j SNAT --to-source 212.111.124.210
$IPT -t nat -A POSTROUTING -o $INT -s 212.111.124.210 -j SNAT --to-source 212.111.124.210

# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the
# network below.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i eth2 -j ACCEPT

$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 3000 -j ACCEPT
$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 21 -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall

# If you would like to open up port 22 (SSH Access) to various IP's
# simply edit the IP's below and uncomment the line. If youw wish to
# enable SSH access from anywhere, uncomment the second line only.
#$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

# Lets do some basic state-matching. This allows us
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently.
# We don't like that netbios stuff, and it's way too
# spammy with windows machines on the network.
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall
# so we don't get silent drops.
$IPT -A INPUT -j dropwall
0
Comment
Question by:ftpfreak
11 Comments
 

Expert Comment

by:sykat
ID: 12276447
Hi,

Yes it's quite easy and it'll be woked.

Thanx.
0
 

Author Comment

by:ftpfreak
ID: 12283430
but after i activate it. my lan cannot get internet sharing...seems something wrong with my rc.firewall structure...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12295119
> ..  script below is correct
no, 'cause -o option requires a NIC not an IP.
But I assume that it is the wrong question, should be: is the script below useful (or similar)?, Then the answer is no.
I'd use:
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

your internet from LAN is not reachable 'cause of:
$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 212.111.124.210
#$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE
change to
#$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 212.111.124.210
 $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    # assuming that eth0 is your $INT

then check following (see my comment about eth0):
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i eth2 -j ACCEPT

I'm not shure what these should do, sounds useless:
$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 3000 -j ACCEPT
$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 21 -j ACCEPT

Also your SNAT and DNAT rules are useless.


0
 

Author Comment

by:ftpfreak
ID: 12304669
if SNAT and DNAT are useless and i remove this $IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 3000 -j ACCEPT
$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 21 -j ACCEPT.

my script will be after i remove some line, so how about port fowarding?:

#!/bin/sh

# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface you will be protecting. For ADSL/dialup users,
# ppp0 should be fine. If you are using a cable internet connection or
# are connected to a LAN, you will have to change this to "eth0".
INT="eth0" <- my static ip

# The following rules will clear out any existing firewall rules,
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# The following line below enables IP forwarding and thus
# by extension, NAT. Turn this on if you're going to be
# doing NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the $INT (external)
# interface to be the given IP. If you have a dynamic IP
# address or a DHCP IP that changes semi-regularly, comment out
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.
#

$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE


# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

#$IPT -t nat -A PREROUTING -p tcp -i $INT --dport 3000 -j DNAT --to-destination 212.111.124.210
#$IPT -t nat -A PREROUTING -p tcp -i $INT --dport 21 -j DNAT --to-destination 212.111.124.210

#$IPT -t nat -A POSTROUTING -o $INT -s 212.111.124.210 -j SNAT --to-source 212.111.124.210
#$IPT -t nat -A POSTROUTING -o $INT -s 212.111.124.210 -j SNAT --to-source 212.111.124.210

# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the
# network below.
$IPT -A INPUT -i eth0 -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i eth2 -j ACCEPT

#$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 3000 -j ACCEPT
#$IPT -A FORWARD -s 0.0.0.0/0 -d  $INT -p tcp --destination-port 21 -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall



0
 

Author Comment

by:ftpfreak
ID: 12304680
i just want to open certain port...ntop for port 3000 where i installed in the linux router...and port 80 and port 21 for my webserver and ftp server in lan...

is this script is good enough? is this script if good for server?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:ftpfreak
ID: 12307712
sir, i found a script which similiar to my script. i just try to open port 21...at the end of this script, how to do port fowarding to internal lan...i'm no good in manipulate...i also try to scan open port by using this firewall script...and the status said, OPEN PORT AND UNSECURED.....how to make the port secure on this script even the port is actually open?...do you think this script is good?

#!/bin/sh

IPTABLES=/sbin/iptables

DENY_PING="0"
DENY_REDIRECT="0"
BANNED=""
LOGGING="--log-level=5 -m limit --limit 3/minute --limit-burst 3 --log-tcp-sequence"
SYNRATE="-m limit --limit 4/second --limit-burst  10"
PUB_IF="eth0"
PRIV_IF="eth1"
PRIVX_IF="eth2"
LOCAL_SERVICES_TCP="21"
LOCAL_SERVICES_UDP=""
TCP_NO_LOG_DROP="137 138 139 445"       #NOTE: TCP ONLY!
UDP_NO_LOG_DROP="137 138 139 445"       #NOTE: UDP ONLY!


##############################################################################
# Begin Script Status Checks                                                 #
# These test that iptables executable is on the system, and user is logged   #
# in as r00t.                                                                #
##############################################################################
if [ ! -x $IPTABLES ]; then
  die "Fatal Error: Cannot execute IPTABLES ($IPTABLES)"
fi
if [ "$UID" != "0" ]; then
  die "Fatal Error: You MUST be r00t to run this script!"
fi



##############################################################################
# Reset IPTABLES to a "blank page". (delete everything)                      #
##############################################################################
$IPTABLES -F           #delete all rules in all chains
$IPTABLES -X           #delete all user defined chains
$IPTABLES -F INPUT     #get rid of existing rules currently running (INPUT)
$IPTABLES -F OUTPUT    #get rid of existing rules currently running (OUTPUT)
$IPTABLES -F FORWARD   #get rid of existing rules currently running (FORWARD)
$IPTABLES -t filter -F #delete all rules in filter table
$IPTABLES -t filter -X #delete user defined chains in filter table
$IPTABLES -t nat -F    #delete all rules in NAT Table
$IPTABLES -t nat -X    #delete user defined chains in nat table
$IPTABLES -t mangle -F #delete all rules in nat table




##############################################################################
# Set restrictive default policy                                             #
# What we do here is tell the FW "nothing can get through unless i allow it" #
# This allows for much tighter security. I would advise you not to change    #
# these default settings without good reason.                                #
##############################################################################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT


##############################################################################
# Block ALL ICMP echo requests?                                              #
# This will help your machine avoid detection by the average script kiddie.  #
# If set to 1, "pings" will be ignored.                                      #
##############################################################################
if [ "$DENY_PING" == "1" ]; then
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
else
  echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
fi


# Accept ICMP redirect messages?
################################
if [ "$DENY_REDIRECT" == "1" ]; then
  echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
else
  echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
fi

# Disable ICMP send_redirect
############################
if [ -e /proc/sys/net/ipv4/conf/all/send_redirects ]; then
  for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo "1" > $interface
  done
fi


# ICMP Broadcasting protection (smurf amplifier protection)
###########################################################
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
  echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi


# Allow Packetforwarding
###########################################################
echo 1 > /proc/sys/net/ipv4/ip_forward


##############################################################################
# SYN Flood Protection                                                       #
# Here we attempt to control the maxium number of inbound connections so as  #
# to help prevent a Denial Of Service Situation. We also enable SYNCOOKIES.  #
##############################################################################
if [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
  echo "1" > /proc/sys/net/ipv4/tcp_syncookies
fi
$IPTABLES -N SYN_FLOOD
$IPTABLES -A SYN_FLOOD -p tcp --syn $SYNRATE -j RETURN
$IPTABLES -A SYN_FLOOD -p ! tcp -j RETURN
$IPTABLES -A SYN_FLOOD -p tcp ! --syn -j RETURN
$IPTABLES -A SYN_FLOOD -j LOG --log-prefix "IPT: SYN_FLOOD/SYN SCAN: " $LOGGING



##############################################################################
# TCP Flag Checking                                                          #
# We look for invalid combinations of flags set on TCP packets, if any are   #
# found we log the packet and drop it. To do this, we create a TCPINV        #
# table, whose purpose is to log and drop packets passed to it. We also      #
# create a table called TCPINV_CHK, whose purpose is to check first if       #
# incoming datagrams have valid flags set. if not pass to TCPINV.            #
##############################################################################
$IPTABLES -N TCPINV
$IPTABLES -A TCPINV -j LOG --log-prefix "IPT: Invalid TCP: " $LOGGING
$IPTABLES -A TCPINV -j DROP

$IPTABLES -N TCPINV_CHK
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ACK,FIN FIN -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ACK,PSH PSH -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ACK,URG URG -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags FIN,RST FIN,RST -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags SYN,FIN SYN,FIN -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags SYN,RST SYN,RST -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL ALL -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL NONE -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL FIN,PSH,URG -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j TCPINV
$IPTABLES -A TCPINV_CHK -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j TCPINV



##############################################################################
# Connections to drop without logging.                                       #
# Port list from NO_LOG_DROP. If we dont have the specified port open, and   #
# connection attempt is flagged ok, not part of a syn flood etc, we will drop#
# the packet without logging it. Useful for conserving log space. I tend not #
# to bother logging connections to the NETBIOS ports due to the amount of    #
# worms currently circulating the internet that use 137:139 445.             #
##############################################################################
$IPTABLES -N TCP_NO_LOG_DROP
if [ "$TCP_NO_LOG_DROP" != "" ]; then
 for port_num in $TCP_NO_LOG_DROP; do
  $IPTABLES -A TCP_NO_LOG_DROP -p tcp --dport $port_num -j DROP
 done
fi
$IPTABLES -N UDP_NO_LOG_DROP
if [ "$UDP_NO_LOG_DROP" != "" ]; then
 for port_num in $UDP_NO_LOG_DROP; do
  $IPTABLES -A UDP_NO_LOG_DROP -p udp --dport $port_num -j DROP
 done
fi




##############################################################################
# Banned IP's                                                                #
# Looking at the "Banned" variable, we drop all trafic from known "bad"      #
# hosts, who wish our network harm. BANNED_CHK is responsible for checking   #
# if a host is banned, and BANNED_ACT logs and drops packets. If the BANNED  #
# variable is blank, we do not create the rule. This helps boost efficiency. #
##############################################################################
if [ "$BANNED" != "" ]; then
 $IPTABLES -N BANNED_ACT
 $IPTABLES -A BANNED_ACT -j LOG --log-prefix "IPT: BANNED IP: " $LOGGING
 $IPTABLES -A BANNED_ACT -j DROP
 $IPTABLES -N BANNED_CHK
 for blockip in $BANNED; do
  $IPTABLES -A BANNED_CHK -s $blockip -j BANNED_ACT
  $IPTABLES -A BANNED_CHK -d $blockip -j BANNED_ACT
 done
 $IPTABLES -A INPUT -j BANNED_CHK
fi


$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $PUB_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $PRIV_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $PRIVX_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -j TCPINV_CHK
$IPTABLES -A INPUT -j SYN_FLOOD



##############################################################################
# Allowed Local Services                                                     #
# This section defines services that are world accessable on the local box.  #
##############################################################################
$IPTABLES -N LOCAL_TCP
if [ "$LOCAL_SERVICES_TCP" != "" ]; then
 for openports in $LOCAL_SERVICES_TCP; do
  $IPTABLES -A LOCAL_TCP -p tcp --dport $openports -j ACCEPT
 done
fi

$IPTABLES -N LOCAL_UDP
if [ "$LOCAL_SERVICES_UDP" != "" ]; then
 for openports in $LOCAL_SERVICES_UDP; do
  $IPTABLES -A LOCAL_UDP -p udp --dport $openports -j ACCEPT
 done
fi

$IPTABLES -t nat -A POSTROUTING -o $PUB_IF -j MASQUERADE
$IPTABLES -A FORWARD -i $PRIV_IF -j ACCEPT

$IPTABLES -A INPUT -p tcp -j LOCAL_TCP
$IPTABLES -A INPUT -p udp -j LOCAL_UDP
$IPTABLES -A INPUT -p tcp -j TCP_NO_LOG_DROP
$IPTABLES -A INPUT -p udp -j UDP_NO_LOG_DROP
$IPTABLES -A INPUT -j LOG --log-prefix "IPT: INPUT: " $LOGGING
$IPTABLES -A INPUT -j DROP
0
 

Author Comment

by:ftpfreak
ID: 12307870
and here is the nmap result...is the result means the firewall is secure?

Starting nmap 3.70 ( http://www.insecure.org/nmap ) at 2004-10-14 21:20 Pacific
Daylight Time
Initiating SYN Stealth Scan against 212.111.124.210[1660 ports] at 21:20
Discovered open port 21/tcp on 212.111.124.210
SYN Stealth Scan Timing: About 26.47% done; ETC: 21:22 (0:01:23 remaining)
The SYN Stealth Scan took 81.05s to scan 1660 total ports.
Host 212.111.124.210 appears to be up ... good.
Interesting ports on 212.111.124.210:
(The 1659 ports scanned but not shown below are in state: filtered)
PORT   STATE SERVICE
21/tcp open  ftp

Nmap run completed -- 1 IP address (1 host up) scanned in 86.123 seconds
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 50 total points
ID: 12311543
> .. i found a script which similiar to my script. i just try ..
hmm, firewalling is not a copy&paste job, nor is it something to "try". You need to know what you do.
I's suggest that you make yourself used to the concepts of packetfilters first, then read man iptables, then decide which ports and permissions you need, and finally setup iptables yourself.
And it's the hard way, but just finding if port 21 works in dozents of lines is hard too.
Also: port 21 (ftp) is one of the complicated things to do with packetfiltering.
0
 

Author Comment

by:ftpfreak
ID: 12315789
ok i will learn...but do you think the script is correct?...i mean the structure
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 12316915
the structure is ok, but see my previous comments
0
 
LVL 2

Expert Comment

by:garak1357
ID: 12393270
You might want to use the code from this firewall as a reference:

https://www.unixpages.com/hls

It is compreshensive and should provide you with the examples
you need.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now