Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, just trying to get my head around ftp and how to allow connections to a server. I have an ftp deamon running which looks for connections on port 21.
So, I figure i need to at least accept connections on this port? Then i need to enable another port(s) for the data channel, yes? This depends on whether we are using active or passive transfers....this is where i get confused.
Passive is more dangerous to the server but more client-friendly from what i can make out. I also read i think that the ip_conntrack_ftp module can read what ports the clients want to use and open them accordingly, instead of having to open the whole upper range. Is this correct?
It would be great if someone with an ftp server could show me just the few lines that are used for ftp connections. My firewall is still basic but im building on it slowly and this would help get the low stumbling blocks out the way.
cheers
ps: the ftp server is on the gateway machine, using iptables. 1.2.5
This link was posted by Capt_Caveman. I think it will answer all your queries. It is for client connections but you would be able to modify those rules for your ftp server connections.
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p tcp --dport 1024: -j ACCEPT
The third line is apparently supposed to work without the NEW according to the link posted above,but, well it doesnt
So as far as i can tell, what this is doing is showing all ports > 1024 as closed? How safe is this? Will it let any NEW packet in, or does it only allow NEW packets that have previously been ok'd through port 21?
If someone could clear up my confusion or post something that works better that would be great
If you are using vsftpd, you can set the pasv_max_port and pasv_min_port to regulate data connections to those ports and fine tune your firewall rules like
Code:
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 54776:54875 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.