iptables & inbound ftp, ssh

bddwyer · 02-04-2003, 02:26 AM

The goal: Access to this Redhat 7.2 box via ssh and passive ftp from the Internet.

The setup:

Dual-homed RH 7.2 box running as a gateway for a small net using 192.168.0.n internal addressing, fixed IP from ISP for external. sshd for external access. Also running WUFTP as shipped with RH7.2. Specific folks out on the Internet need ftp access to this box. I need to get in for admin purposes.

iptables loads:
ip_conntrack
ip_conntrack_ftp
ip_nat_ftp
ip_table_nat

Default INPUT, OUTPUT and FORWARD policies are DROP

I currently have NO specific INPUT or OUTPUT rules for ftp or ssh.

My questions:

1. Do I need *both* INPUT and OUTPUT rules for ssh and passive ftp?

2. Should I use a state test on the OUTPUT rules in ftp? ssh?

3. How should the rules read? (I've searched on this forum and elsewhere on the 'net and haven't found anything.

For ssh, I think this should work:

iptables -A INPUT -i $EXTERNAL -p tcp -dport 22 -s $INTERNET -d $EXTERNAL -j ACCEPT

iptables -A OUTPUT -i $EXTERNAL -p tcp -dport 22 -d $EXTERNAL -m state --state ESTABLISHED, RELATED -j ACCEPT

Passive ftp has me stumped. Has anyone done this already?

Thanks.

peter_robb · 02-04-2003, 06:21 AM

There are two schools of thought around writing rules...
1. Block everything, make rules for every instance that is allowed, "DENY POLICY"
2. Block unwanted traffic, "ALLOW POLICY"

And of course you must do both...

If all you have open on your box is ssh & ftp, you have a couple of choices.
This tutorial needs to be read, then make some rules...
1. A public FTP server is a security and management risk. If you already know the people, use the SFTP server in the Openssh server and close down their user priveleges...
2. There are a lot of protection rules to go in first.
3. OUTPUT chain. If you can't trust what the box itself is transmitting, get it off the Internet. You can add OUTPUT rules if you cannot control the servers on the box.
4. INPUT/OUTPUT chains are for packets to/from the box's servers, FORWARD for the LAN behind the box, so the "-d $EXTERNAL" won't work in the INPUT chain, likewise the "-i" won't work in the OUTPUT chain.
5. Passive FTP uses only port 21
6. ip_conntrack_ftp does the state matching for Active FTP ports 21 & 20

There are a lot of good scripts in the tutorial.

Noerr · 02-06-2003, 05:02 AM

you should safely use only input chain as you stated without -d option
and add same for ports 20, 21 tcp and udp

bddwyer · 02-06-2003, 09:27 AM

Thanks for that. I've got it working fine now.