LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-24-2005, 07:13 AM   #1
loboautoma
LQ Newbie
 
Registered: Jan 2005
Posts: 20

Rep: Reputation: 0
Question can't connect via ftp on my lan....this is my iptables config....


hi, i can't access ftp in my lan. I have 2 hosts. 1 with linux is the gateway on eth0, other is my personal pc connected to eth1. I configured the iptables so:

# Generated by iptables-save v1.2.9 on Mon Jan 24 11:45:26 2005
*filter
:INPUT DROP [53:5664]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [857:85837]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s xxxxxxxx/xxxxxxxxx -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Jan 24 11:45:26 2005
# Generated by iptables-save v1.2.9 on Mon Jan 24 11:45:26 2005
*nat
:PREROUTING ACCEPT [88:5432]
:POSTROUTING ACCEPT [31:4334]
:OUTPUT ACCEPT [122:12260]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jan 24 11:45:26 2005

....why the ftp is not functioning? May be i need configuring some iptables command for eth1?

note: i'm italian linux beginner....thanx for any help!
 
Old 01-24-2005, 03:47 PM   #2
guzzi
Member
 
Registered: Jun 2004
Location: Lawrence, KS
Distribution: Slackware
Posts: 294

Rep: Reputation: 32
lan ftp

if the linux box / gateway is running slackware, ftp is not on by default

you need to edit /etc/inetd.conf and remove the # in front of the ftp line

If this gateway is part of your firewall, opening up ftp is risky.
 
Old 01-24-2005, 05:18 PM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
A number of ftp servers run in PASV mode, which means you have to open up several higher numbered ports as well as 21. On my system (ProFTP) I can lock the passive port range so I've open 50000-51000 in the firewall as well.

If you're doing this you probably want to look into chrooting ftp as a security precaution.
 
Old 01-25-2005, 08:10 AM   #4
loboautoma
LQ Newbie
 
Registered: Jan 2005
Posts: 20

Original Poster
Rep: Reputation: 0
thanx....
but i'd like to configure appropriately the iptables for eth1 and nothing more....
 
Old 01-25-2005, 11:26 AM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
OK, lets see if I have this straight....The FTP server has two ethernet cards, eth0 (which is your Internet interface) and eth1, which is your LAN interface. You want to allow FTP access from your LAN only (eth1).

If this is the case, the problem with your firewall is with the -i flag. So in your firewall you have

-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT

I would change that to
-A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT

If this isn't your intention, please clarify what you mean by

Quote:
but i'd like to configure appropriately the iptables for eth1 and nothing more....
 
Old 01-25-2005, 11:38 AM   #6
loboautoma
LQ Newbie
 
Registered: Jan 2005
Posts: 20

Original Poster
Rep: Reputation: 0
that was my intention thanks ....i will prove it....even if i already proved that......in other forum people tell me to add rules in the forward chain.....i'll tell you

Last edited by loboautoma; 01-25-2005 at 11:45 AM.
 
Old 01-27-2005, 12:32 PM   #7
zsoltrenyi
Member
 
Registered: May 2004
Distribution: redhat, trustix, debian
Posts: 103

Rep: Reputation: 15
you also need to open port 20 and and ports below 1024 as far as I know
a pc connects at port 21 but after that the server and the client will communicate at a higher port >1023
i have an ftp server to and it didn't work until i opened up those ports
so i have something like this in my firewall script:
iptables -A INPUT -i eth1 -p tcp --dport 1024:65000 -j ACCEPT
 
Old 01-27-2005, 02:30 PM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
iptables -A INPUT -i eth1 -p tcp --dport 1024:65000 -j ACCEPT
You have got to be kidding. I would argue that is no longer a firewall, but rather a TCP packet annoyance system.

There is absolutely no reason to have that many ports open for one program. Have a read through your servers documentation and find out how to narrow that down. If your server doesn't allow you to restrict the PASV ports, I would find a new server.
 
Old 01-28-2005, 01:14 AM   #9
zsoltrenyi
Member
 
Registered: May 2004
Distribution: redhat, trustix, debian
Posts: 103

Rep: Reputation: 15
yes, Hangdog42 is wright, but the idea is that you need some open ports > 1023
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cant connect to my webserver and ftp server from outside LAN akudewan Linux - Networking 3 05-15-2005 02:00 PM
can't connect via ftp on my lan...this is iptapbles configurations.... loboautoma Linux - Networking 12 02-05-2005 09:43 AM
Mandrake Server,Cant FTP & cant connect on LAN Velocide Mandriva 2 04-22-2004 05:30 AM
IPTables and FTP - ftp on LAN adamgedde Linux - Newbie 6 10-16-2003 08:11 PM
FTP from LAN by using IPTABLES fddi1 Linux - Networking 0 10-03-2001 06:59 AM


All times are GMT -5. The time now is 03:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration