LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   can't connect via ftp on my lan....this is my iptables config.... (http://www.linuxquestions.org/questions/linux-security-4/cant-connect-via-ftp-on-my-lan-this-is-my-iptables-config-281571/)

loboautoma 01-24-2005 07:13 AM

can't connect via ftp on my lan....this is my iptables config....
 
hi, i can't access ftp in my lan. I have 2 hosts. 1 with linux is the gateway on eth0, other is my personal pc connected to eth1. I configured the iptables so:

# Generated by iptables-save v1.2.9 on Mon Jan 24 11:45:26 2005
*filter
:INPUT DROP [53:5664]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [857:85837]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s xxxxxxxx/xxxxxxxxx -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Jan 24 11:45:26 2005
# Generated by iptables-save v1.2.9 on Mon Jan 24 11:45:26 2005
*nat
:PREROUTING ACCEPT [88:5432]
:POSTROUTING ACCEPT [31:4334]
:OUTPUT ACCEPT [122:12260]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jan 24 11:45:26 2005

....why the ftp is not functioning? May be i need configuring some iptables command for eth1?

note: i'm italian linux beginner....thanx for any help!

guzzi 01-24-2005 03:47 PM

lan ftp
 
if the linux box / gateway is running slackware, ftp is not on by default

you need to edit /etc/inetd.conf and remove the # in front of the ftp line

If this gateway is part of your firewall, opening up ftp is risky.

Hangdog42 01-24-2005 05:18 PM

A number of ftp servers run in PASV mode, which means you have to open up several higher numbered ports as well as 21. On my system (ProFTP) I can lock the passive port range so I've open 50000-51000 in the firewall as well.

If you're doing this you probably want to look into chrooting ftp as a security precaution.

loboautoma 01-25-2005 08:10 AM

thanx....
but i'd like to configure appropriately the iptables for eth1 and nothing more....

Hangdog42 01-25-2005 11:26 AM

OK, lets see if I have this straight....The FTP server has two ethernet cards, eth0 (which is your Internet interface) and eth1, which is your LAN interface. You want to allow FTP access from your LAN only (eth1).

If this is the case, the problem with your firewall is with the -i flag. So in your firewall you have

-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT

I would change that to
-A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT

If this isn't your intention, please clarify what you mean by

Quote:

but i'd like to configure appropriately the iptables for eth1 and nothing more....

loboautoma 01-25-2005 11:38 AM

that was my intention thanks ....i will prove it....even if i already proved that......in other forum people tell me to add rules in the forward chain.....i'll tell you

zsoltrenyi 01-27-2005 12:32 PM

you also need to open port 20 and and ports below 1024 as far as I know
a pc connects at port 21 but after that the server and the client will communicate at a higher port >1023
i have an ftp server to and it didn't work until i opened up those ports
so i have something like this in my firewall script:
iptables -A INPUT -i eth1 -p tcp --dport 1024:65000 -j ACCEPT

Hangdog42 01-27-2005 02:30 PM

Quote:

iptables -A INPUT -i eth1 -p tcp --dport 1024:65000 -j ACCEPT
You have got to be kidding. I would argue that is no longer a firewall, but rather a TCP packet annoyance system.

There is absolutely no reason to have that many ports open for one program. Have a read through your servers documentation and find out how to narrow that down. If your server doesn't allow you to restrict the PASV ports, I would find a new server.

zsoltrenyi 01-28-2005 01:14 AM

yes, Hangdog42 is wright, but the idea is that you need some open ports > 1023


All times are GMT -5. The time now is 02:22 PM.