IPTABLES question : ftp access for some IPs only

bobbera · 02-21-2009, 07:18 AM

Hi ,

I've been trying to configure iptables rules according to which ftp access will be granted only to the specific IPS list (10.63.3.244 and 10.63.3.250 for example ) , but not to a whole range of IPs like 192.168.1.0/24 .

When I grant ftp access to a the IPs with next rules

iptables -A INPUT -p tcp --dport 21 -s ! 10.53.3.244 -j REJECT
iptables -A INPUT -p tcp --dport 21 -s ! 10.33.3.250 -j REJECT

only first IP will have an ftp access and the second IP is being rejected due to the first rule worked already .

How I define iptables in this situation .
Do not want to use /etc/hosts.deny since ftp prompt will show up indicating ftp port opened .

Thanks .

Vlad .

JulianTosh · 02-21-2009, 07:48 AM

reverse your logic... set the default policy of the INPUT chain to DROP and ALLOW the hosts you want in.

google "basic iptables examples"

basically, you want a default policy of DROP for the input chain, allow established,related connections, then rules to allow the specific traffic you want.

win32sux · 02-21-2009, 08:41 AM

Practically speaking, change this:

Code:

iptables -A INPUT -p tcp --dport 21 -s ! 10.53.3.244 -j REJECT
iptables -A INPUT -p tcp --dport 21 -s ! 10.33.3.250 -j REJECT

To this:

Code:

iptables -A INPUT -p tcp --dport 21 -s 10.53.3.244 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -s 10.33.3.250 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j DROP

bobbera · 02-22-2009, 02:58 AM

Thanks to win32sux , his solution worked perfect .

I wouldn't go to the switching default policy to DROP since then I have to deal with other protocols as well .

Thanks to all .