LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-24-2014, 10:18 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Rep: Reputation: Disabled
Allow FTP through IPTables


I wish to access my server using FTP. Below is my IPTables. Where am I going wrong. Also, please comment if you see other problems with my IPTables setup. Thank you

Code:
[root@desktop html]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ndmp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ms-wbt-server
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ms-wbt-server

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data
[root@desktop html]#
 
Old 01-24-2014, 10:26 AM   #2
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
After further tinkling, it appears that FTP is open. Evidently, my username wasn't valid to use FTP. I added my user to the FTP group, and think I have it working. Is this the way it is suppose to be?

Also, please still comment about my IPTables configuration if you see anything bad

Thanks
 
Old 01-24-2014, 11:10 AM   #3
schneidz
LQ Guru
 
Registered: May 2005
Location: boston, usa
Distribution: fc-15/ fc-20-live-usb/ aix
Posts: 5,027

Rep: Reputation: 845Reputation: 845Reputation: 845Reputation: 845Reputation: 845Reputation: 845Reputation: 845
the way it is supposed to be is not to use ftp but instead upgrade to ssh/scp/sftp/sshfs.
 
Old 01-24-2014, 11:40 AM   #4
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by schneidz View Post
the way it is supposed to be is not to use ftp but instead upgrade to ssh/scp/sftp/sshfs.
Agree, I don't want to either, but Adobe Muse doesn't support SSH, and only supports FTP.

Any chance you can help with my two questions?
  1. Does my iptables file look reasonable?
  2. To allow a user to upload a file using ftp, do I just add that user to the ftp group?
 
Old 01-24-2014, 12:11 PM   #5
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
1. Can't really answer you.. Please show the output of the following command (as root):
Code:
iptables -L -v
You have some packets that are allowed on all ports but I'm not sure if they aren't on loopback interface (which is as it should be).. Also, ftp is tricky because of passive ftp.. Here is an example of a kind of properly vsftpd or proftpd server setup on RedHat/CentOS: http://blogs.reliablepenguin.com/201...-with-iptables (Don't use tutorials that teach you to open everything above 1024 -- however, use googel to find out more)

So.. basically.. No... Someway or the other, your firewall is not reasonable..

2. Depends on the server setup... But this is mainly the default configuration provided on most Linux distributions.. yes.. Please provide further details if you need assistance with this..

Last edited by Smokey_justme; 01-24-2014 at 01:16 PM.
 
Old 01-24-2014, 12:46 PM   #6
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 536

Original Poster
Rep: Reputation: Disabled
Thanks Smokey! Giving more thought, I probably should forget about using Adobe Muse's upload, and just manually do it, and not worry about ftp. That being said, I definitely need to better understand iptables. Please see the below. What does this tell you?

Code:
[root@desktop html]# iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ndmp
 8156 3731K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
   99  5172 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
  549 28608 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:https
   19   988 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ftp state NEW
  892  116K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ms-wbt-server
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ms-wbt-server

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 9602 packets, 3455K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp spt:ftp-data
[root@desktop html]#
 
Old 01-24-2014, 01:33 PM   #7
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Ahh.. well, it't fairly ok then.. It is a bare minimum, and it's probably better not to mess with it unless you actually want to learn...

These two will never get accepted thought, since no packet can get to this point:
Code:
   0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ms-wbt-server
   0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:ms-wbt-server
But I don't know why they should be (nothing to do with FTP).. so leave it as it is.

Besides that, your OUTPUT chain has a default policy that accepts any and all packets to leave your computer.. Your extra rule there is simply bogus.. but it works either way...

See if FTP works correctly (even with passive connections). If it doesn't, see either the link I gave you or google how to allow passive ftp on your distribution.. If you have troubles with it, feel free to ask (ohh, tell us your distribution, too).. Just remember, don't use tutorials that teach you to open every port after 1024..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] FTP Server behind NAT (IPtables) List FTP directories Problem turki_00 Linux - Newbie 5 02-05-2012 09:44 AM
Iptables and FTP aq_mishu Linux - Networking 1 09-20-2007 11:57 AM
ftp and iptables eantoranz Linux - Networking 1 07-04-2005 12:24 PM
IPTables and FTP - ftp on LAN adamgedde Linux - Newbie 6 10-16-2003 09:11 PM
ftp and ftp port forwarding with IPtables?? FunkFlex Linux - Security 3 04-24-2002 04:03 AM


All times are GMT -5. The time now is 02:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration