OnLinux

ftp error: 500 invalid port connection

I am trying to access a ftp server . I am able to connect to it with the user name and password. However when i connect to the server and do a dir i get the following error.

C:\Documents and Settings\Admin>ftp XXX.XXX.XXX.XXX
Connected to XXX.XXX.XXX.XXX
220 Microsoft FTP Service
User (XXX.XX.XXX.XXX:(none)): user-name
331 Password required for user-name
Password:
230 User user-name logged in.
ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.

I got a fire wall running and i have opened port 21, The entry in the iptables is as follows .

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

Answer :

Passive ftp

A PORT command is again issued, but this time it is from the server to the client. The client connects to the server for data transfer. Since the connection is in the same sense as the original ftp connection, passive ftp is inherently more secure than active ftp, but note that this time we know even less about the port numbers. Now we have a connection between almost arbitrary port numbers.

Enter the ip_conntrack_ftp module once more. Again, this module is able to recognize the PORT command and pick-out the port number. Instead of NEW in the state match for the OUTPUT chain, we can use RELATED. The following rules will suffice:

iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

add the following to the kernel

modprobe ip_nat_ftp

restricting SSH or port 22 from external network

If you have a network like the following :

Eth0 =192.168.0.244 ( or public IP ) gateway 192.168.0.254

Eth1 =10.0.0.1

Client pc of network class 10.X should be able to access ssh but not from 192.168.0.X network then do the following :

First check the /etc/services ---- > look for port 22

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 22 -j REDIRECT --to-port 3128

all packets that come to eth0 get redirected to our squid application on the same server that works on port 3128 and you need to configure the squid server to block port 22

Similarly you can block for various other ports !!!

squid -- denying a specific sites and specific IP

line 1. acl special_client src 192.168.11.0 < type here ip ranage or single
ip address or multiple ip separted with single space )

line 2. acl special_url url_regex -i chat.yahoo.com ( type here webaddress
separated with | e.g. yahoo.com|rediff.com , last webaddress should not have
any | (pipe))

line 3 http_access deny special_client special_url

line 4 http_access allow marketing ( or whatever ip address range)

If any confusion while implementing these acl please feel free to contact us
any time

Cheers!

--

Configuring iptables to Support the Squid Transparent Proxy

If your firewall is connected to the Internet on interface eth0 and to the home network on interface eth1. The firewall is also the default gateway for the home network and handles network address translation on all the network's traffic to the Internet.

If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80.

[root@squid ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
[root@squid ~]# iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128
[root@squid ~]# iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80
[root@squid ~]# iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80
[root@squid ~]# iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80
[root@squid ~]# /etc/init.d/iptables save

Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

[root@squid ~]# /etc/init.d/iptables restart

this only works for port 80 and not https 443

hope this helps all

how is it possible to route traffic through another network class and all http traffic

installed cent OS on one PC with 2 network cards

eth0 and eth1
eth0 = 192.168.0.244
eth1 =s 10.0.0.1
gateway to access the net is 192.168.0.254

In order that the 10.X network range can access the internet i added the a route
# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.254 but this didnt work so i deleted the same

My resolv.conf file looks like this

search linuxbox.com
nameserver 203.199.113.44
nameserver 203.199.113.27

So i change the following in vi /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

vi /proc/sys/net/ipv4/ip_forward

nedd to start iptables

and need to add the following rules

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

or you can use the command --- system-config-securitylevel enable http and https

here is is my sample conf file of iptables

########################################################################

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -j MARK --set-mark 0x9
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT
############################################################

Hope this helps you out

now you should be able to ping google.com :-)

V2AL -comptrixsys.

http://www.comptrixsys.com/V2AL_Course_Outlines_CSPL-V-0.1.pdf

link for source RPM ---- BIND

http://people.redhat.com/atkac/bind/

Installation instructions for BIND 9.5 DLZ ( continuation... )

my named.conf file is look like this

##########################################################
//

options {
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "0.0.127.in-addr.arpa" {
type master;
file "named.localhost";

};
zone "0.168.192.in-addr.arpa" {
notify no;
type master;
file "named.192.168.0.244";
};

dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=binddlzdb user=binddlzuser pass=binddlzpassword}
{select zone from records where zone = '%zone%'}
{select ttl, type, mx_priority, case when lower(type)='txt' then
concat('\"', data, '\"')
else data end from records where zone = '%zone%' and host = '%record%'
and not (type = 'SOA' or type = 'NS')}
{select ttl, type, mx_priority, data, resp_contact, serial,
refresh, retry, expire, minimum
from records where zone = '%zone%' and (type = 'SOA' or type='NS')}
{select ttl, type, host, mx_priority, data, resp_contact, serial,
refresh, retry, expire,
minimum from records where zone = '%zone%' and not (type =
'SOA' or type = 'NS')}
{select zone from xfr where zone = '%zone%' and client = '%client%'}
{update data_count set count = count + 1 where zone ='%zone%'}";
};

########################################################

[root@testserver ~]# ls /var/named/chroot/var/named/
named.192.168.0.244
named.empty
named.localhost
named.ca
named.loopback

vi named.192.168.0.244

$TTL 1D
@ IN SOA ns1.testserver.com. hostmaster.testserver.com (
1999021004 ; Serial, todays date + todays serial
8H ; Refresh
2H ; Retry
1W ; Expire
1D) ; Minimum TTL
NS ns1.testserver.com.

244 PTR testserver.com.

vi named.localhost

$TTL 1D
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.

1 IN PTR localhost.

Installation instructions for BIND 9.5 DLZ

cd /usr/src
wget http://people.redhat.com/atkac/bind/bind-9.5.0-16.3.a6.fc9.src.rpm
rpm -ivvh bind-9.5.0-16.3.a6.fc9.src.rpm
cd redhat/SPEC
rpmbuild -ba bind.spec
cd /usr/src/redhat/RPM/i386/
rmp -ivvh bind-9.5.0-16.3.a6.fc9.i386.rpm

Instruction for BIND to insteract with MySQL

mysqladmin -u root password agnello

mysqladmin -u root -p create binddlzdb

Change to the MySQL database administration and add the bind-dlz user
and password:

USE mysql;
INSERT INTO user (Host, User, Password) VALUES
('localhost','binddlzuser',password('binddlzpassword'));
INSERT INTO db (Host, Db, User, Select_priv) VALUES
('localhost','binddlzdb','binddlzuser','Y');

Setup the rights for the just created users:

FLUSH PRIVILEGES;
GRANT USAGE ON binddlzdb.* TO binddlzuser@localhost;
GRANT SELECT, INSERT, DELETE, UPDATE ON binddlzdb.* TO binddlzuser@localhost;

USE binddlzdb;

we create the record table . The table "records" holds all information
about your zones,

CREATE TABLE `records` ( `id` int(10) unsigned NOT NULL
auto_increment, `zone` varchar(255) NOT NULL, `ttl` int(11) NOT NULL
default '86400', `type` varchar(255) NOT NULL, `host` varchar(255) NOT
NULL default '@', `mx_priority` int(11) default NULL, `data` text,
`primary_ns` varchar(255) default NULL, `resp_contact` varchar(255)
default NULL, `serial` bigint(20) default NULL, `refresh` int(11)
default NULL, `retry` int(11) default NULL, `expire` int(11) default
NULL, `minimum` int(11) default NULL, PRIMARY KEY (`id`), KEY `type`
(`type`), KEY `host` (`host`), KEY `zone` (`zone`) );

then create xfr table . "xfr" can be used to allow AXFR/IXFR zone
transfers per zone and host
CREATE TABLE `xfr` ( `zone` varchar(255) NOT NULL, `client`
varchar(255) NOT NULL, KEY `zone` (`zone`), KEY `client` (`client`) );

Edit the named.conf

vi /etc/named.conf

dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=binddlzdb user=binddlzuser pass=binddlzpassword}
{select zone from dns_records where zone = '%zone%'}
{select ttl, type, mx_priority, case when lower(type)='txt' then
concat('\"', data, '\"')
else data end from dns_records where zone = '%zone%' and host
= '%record%'
and not (type = 'SOA' or type = 'NS')}
{select ttl, type, mx_priority, data, resp_person, serial, refresh,
retry, expire, minimum
from dns_records where zone = '%zone%' and (type = 'SOA' or type='NS')}
{select ttl, type, host, mx_priority, data, resp_person, serial,
refresh, retry, expire,
minimum from dns_records where zone = '%zone%' and not (type =
'SOA' or type = 'NS')}
{select zone from xfr_table where zone = '%zone%' and client = '%client%'}
{update data_count set count = count + 1 where zone ='%zone%'}";
};

############################################################

Need to disable SElinux
setenforce 0

Starting service from boot
chkconfig --levels 235 named
chkconfig --levels 235 mysqld
/etc/init.d/mysqld start
/etc/init.d/named start

Log location
tail -f /var/log/messages

E-books !!! amazing

ftp://202.96.64.144/pub/

Pages