LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-04-2003, 02:26 AM   #1
bddwyer
LQ Newbie
 
Registered: Feb 2003
Posts: 2

Rep: Reputation: 0
iptables & inbound ftp, ssh


The goal: Access to this Redhat 7.2 box via ssh and passive ftp from the Internet.

The setup:

Dual-homed RH 7.2 box running as a gateway for a small net using 192.168.0.n internal addressing, fixed IP from ISP for external. sshd for external access. Also running WUFTP as shipped with RH7.2. Specific folks out on the Internet need ftp access to this box. I need to get in for admin purposes.

iptables loads:
ip_conntrack
ip_conntrack_ftp
ip_nat_ftp
ip_table_nat

Default INPUT, OUTPUT and FORWARD policies are DROP

I currently have NO specific INPUT or OUTPUT rules for ftp or ssh.

My questions:

1. Do I need *both* INPUT and OUTPUT rules for ssh and passive ftp?

2. Should I use a state test on the OUTPUT rules in ftp? ssh?

3. How should the rules read? (I've searched on this forum and elsewhere on the 'net and haven't found anything.

For ssh, I think this should work:

iptables -A INPUT -i $EXTERNAL -p tcp -dport 22 -s $INTERNET -d $EXTERNAL -j ACCEPT

iptables -A OUTPUT -i $EXTERNAL -p tcp -dport 22 -d $EXTERNAL -m state --state ESTABLISHED, RELATED -j ACCEPT

Passive ftp has me stumped. Has anyone done this already?

Thanks.
 
Old 02-04-2003, 06:21 AM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 47
There are two schools of thought around writing rules...
1. Block everything, make rules for every instance that is allowed, "DENY POLICY"
2. Block unwanted traffic, "ALLOW POLICY"

And of course you must do both...

If all you have open on your box is ssh & ftp, you have a couple of choices.
This tutorial needs to be read, then make some rules...
1. A public FTP server is a security and management risk. If you already know the people, use the SFTP server in the Openssh server and close down their user priveleges...
2. There are a lot of protection rules to go in first.
3. OUTPUT chain. If you can't trust what the box itself is transmitting, get it off the Internet. You can add OUTPUT rules if you cannot control the servers on the box.
4. INPUT/OUTPUT chains are for packets to/from the box's servers, FORWARD for the LAN behind the box, so the "-d $EXTERNAL" won't work in the INPUT chain, likewise the "-i" won't work in the OUTPUT chain.
5. Passive FTP uses only port 21
6. ip_conntrack_ftp does the state matching for Active FTP ports 21 & 20

There are a lot of good scripts in the tutorial.

Last edited by peter_robb; 02-04-2003 at 06:24 AM.
 
Old 02-06-2003, 05:02 AM   #3
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
you should safely use only input chain as you stated without -d option
and add same for ports 20, 21 tcp and udp
 
Old 02-06-2003, 09:27 AM   #4
bddwyer
LQ Newbie
 
Registered: Feb 2003
Posts: 2

Original Poster
Rep: Reputation: 0
Thanks for that. I've got it working fine now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP & iptables firewall hct224 Linux - Newbie 9 05-04-2012 01:43 PM
No Shorewall/IPtables: not inbound connections allowed psychobyte Mandriva 3 05-25-2005 01:29 AM
network and ftp (& ssh) TreeHugger Linux - Networking 3 11-12-2004 03:54 PM
iptables : how do I block inbound traffic from one ip address only? Apollo77 Linux - Security 7 03-22-2004 10:22 AM
iptables & ssh Tezdread Linux - Networking 26 03-12-2003 03:01 AM


All times are GMT -5. The time now is 12:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration