LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-16-2003, 09:53 AM   #1
adamgedde
LQ Newbie
 
Registered: Oct 2003
Posts: 7

Rep: Reputation: 0
IPTables and FTP - ftp on LAN


Don't know much about iptables, but I think that it's preventing me from FTP-ing on my local network. Have wu-ftp set up on machine A, and can ftp into the localhost with no problem. However, if I try to ftp into A from machine B the connection is refused. Port 21 is open on machine A. Machine A also serves as a firewall, web server, smtp server, and sql server. I'm interested in only allowing local (192.168.1.*) ftp transfers between machine A and machine B. I know absolutely nothing about iptables, but it appears as though the machine is accepting ssh, http, and smtp from anywhere - is this where the problem is?
 
Old 10-16-2003, 10:35 AM   #2
jdc2048
Member
 
Registered: Jul 2002
Location: Ohio, USA
Distribution: Redhat, Gentoo, Solaris, HP-UX, etc...
Posts: 391

Rep: Reputation: 30
Yeah, you probably need to specifically allow connections from this network. There are some other areas you may want to check as well.

A couple of things that will help out if you could post them **.

"iptables -L"

"cat /etc/hosts.allow"
"cat /etc/hosts.deny"

** X out any IP's you don't wish to show the world. (i.e. 192.168.0.3 becomes <my IP> or 192.168.0.4 becomes <my Webserver>, etc...)
 
Old 10-16-2003, 10:59 AM   #3
adamgedde
LQ Newbie
 
Registered: Oct 2003
Posts: 7

Original Poster
Rep: Reputation: 0
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Lokkit-0-50-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:ntp dpt:ntp
LOG all -- <private-IP> anywhere LOG level warning prefix `TDG IP Subnet #2'
LOG all -- <private-IP> anywhere LOG level warning prefix `TDG IP Subnet #1'
DROP all -- <private-IP> anywhere
DROP all -- <private-IP> anywhere
LOG all -- 217.0.0.0/8 anywhere LOG level warning prefix `!!European Subnet!!'
ACCEPT udp -- anywhere anywhere udp spt:ntp dpt:ntp
ACCEPT udp -- <private-IP> anywhere udp spt:domain dpts:1025:65535
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable


hosts.allow and hosts.deny are both blank
 
Old 10-16-2003, 12:53 PM   #4
jdc2048
Member
 
Registered: Jul 2002
Location: Ohio, USA
Distribution: Redhat, Gentoo, Solaris, HP-UX, etc...
Posts: 391

Rep: Reputation: 30
If you have this system running on a private network and feel safe enough to flush the iptables, then you could do a quick test. run "iptables -F" which will remove all rules. Then try to connect again. If you are successful, then it is a firewall issue.

If this turns out to be the case, I can try to check the rules you posted and see if I can give you a specific line to add to your iptables file to allow the traffic you want.
 
Old 10-16-2003, 07:49 PM   #5
jdc2048
Member
 
Registered: Jul 2002
Location: Ohio, USA
Distribution: Redhat, Gentoo, Solaris, HP-UX, etc...
Posts: 391

Rep: Reputation: 30
Quote:
Originally posted by adamgedde
Don't know much about iptables, but I think that it's preventing me from FTP-ing on my local network. Have wu-ftp set up on machine A, and can ftp into the localhost with no problem. However, if I try to ftp into A from machine B the connection is refused. Port 21 is open on machine A. Machine A also serves as a firewall, web server, smtp server, and sql server. I'm interested in only allowing local (192.168.1.*) ftp transfers between machine A and machine B. I know absolutely nothing about iptables, but it appears as though the machine is accepting ssh, http, and smtp from anywhere - is this where the problem is?
The problem lies with your iptables settings below. You could add a second layer of security by using the hosts.allow and hosts.deny.

in /etc/hosts.deny add the following line
Code:
wu-ftpd:  ALL EXCEPT 192.168.1.
this (above) would block all wu-ftpd traffic except for clients from 192.168.1.*

Quote:
leading numbers added by jdc2048
Chain RH-Lokkit-0-50-INPUT (1 references)
target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp spt:ntp dpt:ntp
2 LOG all -- <private-IP> anywhere LOG level warning prefix `TDG IP Subnet #2'
3 LOG all -- <private-IP> anywhere LOG level warning prefix `TDG IP Subnet #1'
4 DROP all -- <private-IP> anywhere
5 DROP all -- <private-IP> anywhere
6 LOG all -- 217.0.0.0/8 anywhere LOG level warning prefix `!!European Subnet!!'
7 ACCEPT udp -- anywhere anywhere udp spt:ntp dpt:ntp
8 ACCEPT udp -- <private-IP> anywhere udp spt:domain dpts:1025:65535
9 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN
10 ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN
11 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
12 ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
13 ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc dpts:bootps:bootpc
14 ACCEPT all -- anywhere anywhere
15 REJECT tcp -- anywhere anywhere tcp dpts:0:1023 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
16 REJECT tcp -- anywhere anywhere tcp dpt:nfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
17 REJECT udp -- anywhere anywhere udp dpts:0:1023 reject-with icmp-port-unreachable
18 REJECT udp -- anywhere anywhere udp dpt:nfs reject-with icmp-port-unreachable
19 REJECT tcp -- anywhere anywhere tcp dpts:x11:6009 flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
20 REJECT tcp -- anywhere anywhere tcp dpt:xfs flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable


hosts.allow and hosts.deny are both blank
From what I can see, the rules are pretty weird. If I knew a little more about what specifically you needed, I could try to help you clean this up. Below is what I can tell about it (although I am not an iptables expert)

The first rule allows all ntp (network time protocol) comms.
2nd, 3rd, & 6th rules - do some logging
4th & 5th - drop all outbound packets from <private-IP> (I assume you used <private-IP> for 2 different nets, you normally reflect that in a post by saying <private-IP1> and <private-IP2>)
7th - is a repeat of rule # 1
8th - accept all udp traffic from <private-IP> high ports 1025 through 65535 from any server on port 53 (DNS)
9th - accept any connections to smtp server (may not be a problem - on RH 9 sendmail is configured to only accept mail from localhost by default)
10th - accept any connections to http server
11th - accept any connections to ssh server
12th & 13th - both allow all udp (connectionless) bootp traffic bootps = BOOTP server bootpc = BOOTP client
14th - accept all traffic from anywhere to anywhere
15th - reject all tcp traffic not already explicitly allowed to ports 0 through 1023
16th - reject all traffic to nfs (redundant from rule 15)
17th - reject all udp traffic not already explicitly allowed to ports 0 through 1023
18th - reject all udp traffic to nfs (redundant from rule 17)
19th - reject all tcp traffic to ports 6000 to 6009
20th - reject all tcp traffic to xfs (X font server)
 
Old 10-16-2003, 08:00 PM   #6
jdc2048
Member
 
Registered: Jul 2002
Location: Ohio, USA
Distribution: Redhat, Gentoo, Solaris, HP-UX, etc...
Posts: 391

Rep: Reputation: 30
just an additional thought, if you use scp from machine B, you would be able to connect to machine A based on the rule # 11 (ssh)

but to get ftp allowed, you could add a line like this to your /etc/sysconfig/iptables (RedHat location)
Code:
-A RH-Lokkit-0-50-INPUT -p tcp -s 192.168.1.0/255.255.255.0 -d <private-IP> -m tcp --dport 21 -j ACCEPT
you would want to add this above all other rules but below the part that says "-A FORWARD -j RH-Lokkit-0-50-INPUT". It doesn't have to be in that spot, but it would need to come before any REJECT rules.
 
Old 10-16-2003, 08:11 PM   #7
jdc2048
Member
 
Registered: Jul 2002
Location: Ohio, USA
Distribution: Redhat, Gentoo, Solaris, HP-UX, etc...
Posts: 391

Rep: Reputation: 30
Dohh!, just a recommendation, don't add it to the RH-Lokkit-0-50-INPUT chain. if you run "lokkit" it will clobber your rule.

mod
Code:
-A INPUT -p tcp -s 192.168.1.0/24 -d <private-IP> -m tcp --dport 21 -j ACCEPT
put that just above the "-A INPUT -j RH-Lokkit-0-50-INPUT" line
the do a "service iptables restart" to reread the config file
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
running FTP server on a LAN for folks outside of the LAN johnMG Linux - Networking 4 12-23-2006 04:10 PM
can't connect via ftp on my lan....this is my iptables config.... loboautoma Linux - Security 8 01-28-2005 01:14 AM
Allowing access to FTP server on LAN using IPTABLES - Help please sergio3986 Linux - Security 2 12-18-2003 12:22 PM
ftp and ftp port forwarding with IPtables?? FunkFlex Linux - Security 3 04-24-2002 03:03 AM
FTP from LAN by using IPTABLES fddi1 Linux - Networking 0 10-03-2001 06:59 AM


All times are GMT -5. The time now is 04:54 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration