LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-11-2009, 06:11 PM   #1
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 257

Rep: Reputation: 31
Use iptables to secure active ftp, what range of ports


What range of ports must a client secure in a FW for active ftp client?

I'm new to working with Iptables and am trying to secure a system with it. I'm quite happy with what I've gotten to work so far but we have a piece of java code that does an active FTP. The active FTP seems to move around using different ports to connect to. Is there a known range? Right now I'm just guessing and each time I guess it just picks a port not in the range I guessed. OH bother.

FYI I am only using Iptables to block incoming ports not outgoing.

I thought just opening port 21 wasn't going to be enough, and it isn't.
This is rather frustrating.


Side note, can I add an accept rule for all ports on a specific IP address in Iptables?

For all your help
Thank you.
 
Old 03-11-2009, 07:33 PM   #2
watcher69b
Member
 
Registered: Nov 2007
Location: /home/watcher69b
Distribution: RH, Fedora & CentOS
Posts: 539

Rep: Reputation: 39
normal FTP uses TCP ports 20 and 21
sftp uses port TCP 22

give that a try...
 
Old 03-11-2009, 11:42 PM   #3
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
To allow a specific IP address, something like:
/sbin/iptables -I INPUT -s 11.22.33.44 -j ACCEPT
should work. Note that there are ways to spoof an IP address, so this is not necessarily a very secure thing to do.
 
Old 03-12-2009, 05:41 PM   #4
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 257

Original Poster
Rep: Reputation: 31
Thanks for the help on the IP address it works great.
 
Old 03-20-2009, 02:32 AM   #5
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,261

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
How about
Code:
  iptables -A INPUT -p tcp --dport 21 -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Code:
In /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
plus

Code:
ldd /usr/sbin/vsftpd | grep libwrap
      libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002aaaaaf0f000)
which means you can use tcp_wrappers ie
Code:
In etc/hosts.allow:


vsftpd: 192.168.0.1
 
Old 03-20-2009, 02:52 PM   #6
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 257

Original Poster
Rep: Reputation: 31
Way to cool and it works as well.
Does it matter on the order of the lines. Can I put the line

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

first? I tried putting this line as one of the first lines and hoped it would work for all established and related connections. I'm asking because I have other protocols that do the same and was wondering if I have to put that line in for each one or just one at the beginning.


Thank you.
 
Old 03-21-2009, 06:15 PM   #7
jeff_k
Member
 
Registered: Jan 2008
Location: San Diego, CA USA
Distribution: Debian / Ubuntu
Posts: 51

Rep: Reputation: 17
You can put that line first, it should not matter.
iptables looks at the first line first, and if it is a match for the present packet/connection, then the jump at the end of the line is performed (for example, ACCEPT or DROP). If the first line does not match, the next line is tried, and so on. As soon as you have a match, no more lines in the present chain are executed, the jump is performed. Also, since a specific protocol is not identified, it should apply to all protocols that can become RELATED, ESTABLISHED.
 
Old 03-23-2009, 05:21 PM   #8
thllgo
Member
 
Registered: Sep 2003
Location: Laurel MD
Posts: 257

Original Poster
Rep: Reputation: 31
The part I was missing was the ip_conntrack_ftp in the config file. as soon as I added that everything worked as I expected.

Yea

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES rules for active FTP TruckStuff Linux - Security 7 04-22-2009 06:21 PM
active ftp port iptables problem peterb Fedora 9 06-15-2008 01:42 AM
iptables - Opening a range of ports DeadTaco Linux - Networking 3 08-10-2005 03:11 PM
iptables, nmap and active ftp connections Bug Linux - Security 3 06-14-2004 01:14 PM
Another iptables Active FTP Issue tnolte Linux - Networking 4 09-28-2003 11:34 AM


All times are GMT -5. The time now is 11:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration