--- /home/cgabriel/fuss-server/firewall.sh 2006-02-01 11:20:49.000000000 +0100 +++ /etc/init.d/firewall.sh 2006-02-08 10:11:05.000000000 +0100 @@ -55,6 +55,10 @@ echo "Masquerading via $IFACE. Gateway is $SERVERIP, network is $LOCALNET" +## caricamento moduli kernel per ftp +modprobe ip_nat_ftp +modprobe ip_conntrack_ftp + case $1 in start|restart|reload|force-reload) # Clean all @@ -100,13 +104,32 @@ iptables -A services -p tcp --dport 443 -j ACCEPT iptables -A services -p tcp --dport 3128 -j ACCEPT + iptables -A services -p tcp --dport 21 -m state --state NEW -j ACCEPT + iptables -A services -p tcp --dport 20 -m state --state NEW -j ACCEPT + # Chain outbound, for outbound connections # when empy nothing is passing, limit as you prefer iptables -N outbound # iptables -A outbound -m state --state NEW -j ACCEPT # allow all iptables -A outbound -p tcp --dport 443 -m state --state NEW -j ACCEPT # allow https iptables -A outbound -p udp --dport 123 -m state --state NEW -j ACCEPT # allow NTPDATE query - iptables -A outbound -p tcp --dport 2628 -m state --state NEW -j ACCEPT # allow dict query + iptables -A outbound -p tcp --dport 2628 -m state --state NEW -j ACCEPT # allow dict quer + + # per far passare FTP da una macchina in particolare + # + #iptables -A outbound -p tcp -s IP_MACCHINA1,IP_MACCHINA2 --dport 21,20 -m state --state NEW -j ACCEPT + # + # e su quella macchina in particolare aggiungere qualcosa tipo: + # + # iptables -A OUTPUT -p tcp --dport 20,21 -m owner --owner-uid ! UID_UTENTE -j DROP + + # e' necessario che questa abbia un IP statico! + # per far passare FTP da tutte le macchine + iptables -A outbound -p tcp --dport 21 -m state --state NEW -j ACCEPT + iptables -A outbound -p tcp --dport 20 -m state --state NEW -j ACCEPT + # per far fare (consigliato!) ftp solo su di un server specifico, usare + #iptables -A outbound -p tcp -d ftp.provinz.bz.it --dport 20,21 -m state --state NEW -j ACCEPT + #