LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-11-2009, 07:11 PM   #1
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 257

Rep: Reputation: 31
Use iptables to secure active ftp, what range of ports


What range of ports must a client secure in a FW for active ftp client?

I'm new to working with Iptables and am trying to secure a system with it. I'm quite happy with what I've gotten to work so far but we have a piece of java code that does an active FTP. The active FTP seems to move around using different ports to connect to. Is there a known range? Right now I'm just guessing and each time I guess it just picks a port not in the range I guessed. OH bother.

FYI I am only using Iptables to block incoming ports not outgoing.

I thought just opening port 21 wasn't going to be enough, and it isn't.
This is rather frustrating.


Side note, can I add an accept rule for all ports on a specific IP address in Iptables?

For all your help
Thank you.
 
Old 03-11-2009, 08:33 PM   #2
watcher69b
Member
 
Registered: Nov 2007
Location: /home/watcher69b
Distribution: RH, Fedora & CentOS
Posts: 539

Rep: Reputation: 39
normal FTP uses TCP ports 20 and 21
sftp uses port TCP 22

give that a try...
 
Old 03-12-2009, 12:42 AM   #3
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
To allow a specific IP address, something like:
/sbin/iptables -I INPUT -s 11.22.33.44 -j ACCEPT
should work. Note that there are ways to spoof an IP address, so this is not necessarily a very secure thing to do.
 
Old 03-12-2009, 06:41 PM   #4
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 257

Original Poster
Rep: Reputation: 31
Thanks for the help on the IP address it works great.
 
Old 03-20-2009, 03:32 AM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
How about
Code:
  iptables -A INPUT -p tcp --dport 21 -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Code:
In /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
plus

Code:
ldd /usr/sbin/vsftpd | grep libwrap
      libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002aaaaaf0f000)
which means you can use tcp_wrappers ie
Code:
In etc/hosts.allow:


vsftpd: 192.168.0.1
 
Old 03-20-2009, 03:52 PM   #6
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 257

Original Poster
Rep: Reputation: 31
Way to cool and it works as well.
Does it matter on the order of the lines. Can I put the line

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

first? I tried putting this line as one of the first lines and hoped it would work for all established and related connections. I'm asking because I have other protocols that do the same and was wondering if I have to put that line in for each one or just one at the beginning.


Thank you.
 
Old 03-21-2009, 07:15 PM   #7
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
You can put that line first, it should not matter.
iptables looks at the first line first, and if it is a match for the present packet/connection, then the jump at the end of the line is performed (for example, ACCEPT or DROP). If the first line does not match, the next line is tried, and so on. As soon as you have a match, no more lines in the present chain are executed, the jump is performed. Also, since a specific protocol is not identified, it should apply to all protocols that can become RELATED, ESTABLISHED.
 
Old 03-23-2009, 06:21 PM   #8
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 257

Original Poster
Rep: Reputation: 31
The part I was missing was the ip_conntrack_ftp in the config file. as soon as I added that everything worked as I expected.

Yea

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES rules for active FTP TruckStuff Linux - Security 7 04-22-2009 07:21 PM
active ftp port iptables problem peterb Fedora 9 06-15-2008 02:42 AM
iptables - Opening a range of ports DeadTaco Linux - Networking 3 08-10-2005 04:11 PM
iptables, nmap and active ftp connections Bug Linux - Security 3 06-14-2004 02:14 PM
Another iptables Active FTP Issue tnolte Linux - Networking 4 09-28-2003 12:34 PM


All times are GMT -5. The time now is 10:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration