Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi.
i set up a dmz to have a internet web server and ftp server, and ssh only from local network, so i wrote a iptables script to load during boot :
#!/bin/bash
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --dport 445 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p icmp -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.100 -d 192.168.1.0/24 -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
The problem is that everything works fine ( i have the same rules for other services such as samba, nfs, mysql on another server) BUT ftp there is no way to make it work. not even locally.when i try to connect, i log in, but while listing the directory i get MLSD ... and it hangs like this for a moment, then i get error message "connection time out" , "impossible to list directory". if i turn off the iptables script no problem,ftp works fine.. but why all services work and ftp no? how do i have to modify the rules?
what is strange also is that if i set as OUTPUT policy "accept", the server seems to be offline."host unknown" error message.
I was thinking the rule INPUT is fine cause at least i can login, but the dir list is not going out, so gotta modify output rules. or state?
thanks in advance
Hi, Please make sure that you have opened the passive and active FTP ports in the firewall. Refer the following link, you will get the iptables command to open passive and active FTP ports.
Troop's suggestion is probably easiest, but some FTP servers (like vsftpd) allow you to lock down passive ports to a specific range, which means you can open those ports in your firewall.
@edwardcode - Actually the original line is fine since it accepts all packets on port 21, regardless of state. The rule you're proposing causes the firewall to look at the packet state and only accept NEW packets. Since the original rule is less restrictive than the one you're proposing, the original shouldn't be a problem.
What the original firewall never does is open FTP data ports, either for passive or active FTP, and that is likely the problem. There is a nice article here explaining how FTP handles ports in both modes and understanding that is critical to getting the firewall rules right.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.