[SOLVED] making a simple iptables firewall for internal server, just looking for tips (and allowing ftp)
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
making a simple iptables firewall for internal server, just looking for tips (and allowing ftp)
i've got a mail server behind a router with ports 25,465,587 & 993 open externally. i've decided to make a simple firewall that closes off everything, then opens up these ports plus 22 for ssh and ping from the local network.
/etc/iptables/iptables.rules
Code:
*filter
:INPUT DROP [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -s 172.16.0.0/16 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
COMMIT
anything else that might be pertinent to add? not sure if FORWARD needs anything added there
Last edited by psycroptic; 07-16-2013 at 02:32 PM.
It looks like this is a common problem: you only need to add these rules:
Code:
-A INPUT -p TCP -dport 21 -j ACCEPT
-A INPUT -p TCP -m helper --helper ftp -j ACCEPT
The phrase -m helper --helper ftp takes care of the fact that FTP uses two destination ports (21 & 20), and lets both through your firewall.
yeah i added those, i still can't access the FTP server. even worse, Proftpd (the server i'm using) logs a successful login/chdir from my own machine, even though i definitely CANNOT access ftp with iptables running....
If Proftpd logs the connection and chdir, then the problem is not with the first iptables rule, at least (port 21). Those operations all occur over port 21, the control port. The problem may be elsewhere. Are you getting any packets counted on the second rule (-m helper --helper ftp)? You can see how many packets matched this rule using the command
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.