[SOLVED] iptables allow ftp only from a specific IP

gly · 08-23-2016, 01:03 AM

hello,
hosting a server where all connections are permitted and only ftp(active,passive, file transfer) and ping(icmp) is permitted from a specific host. Kindly suggest the commands for configuration of the required iptables policy.

sunnysthakur · 08-23-2016, 03:01 AM

Try the below rule. It should work.

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

lazydog · 08-23-2016, 08:15 AM

I would suggest you take a closer look at your rules and tighten them down to only allow what is really needed instead of allowing everything.

As you have not posted any of your rules this might not work 100% as it relies on having a stateful firewall.
If you have a stateless firewall then you might want to go with sunnysthakur's reply.

Basically this is what you are looking for when using a stateful firewall.
You will want to place these before any drop statement:

Code:

-A INPUT -s x.x.x.x -p icmp --icmp-typs 8 -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT

Make sure you load [i]"ip_conntrack_ftp"[i] to ensure that FTP is allowed to use port 20 for data transfer.

JJJCR · 08-24-2016, 04:38 AM

Try this:

Quote:

iptables -A INPUT -s 192.168.1.100 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s 192.168.1.100 -p tcp --dport 20 -j ACCEPT

Quote:

FirewallD
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 21 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 192.168.1.100 -p tcp --dport 20 -j ACCEPT

gly · 08-24-2016, 08:12 AM

@all
thanks for the replies
But question is not complete. Let me rephrase.
1) The servers inbound policy is DROP. So no process can connect to server.
2) The server needs to exchange data with 2 client s say, 192.168.4.5 and 192.168.4.9 with ftp only, nothing else.
So what should be the iptables command on the server?

lazydog · 08-24-2016, 12:45 PM

See my post and adopt as needed.

gly · 08-24-2016, 12:55 PM

@lazydog
I have tried something like
iptables -A INPUT -s 192.168.4.5 -p TCP --dport ftp -j accept
but it allows to login using ftp but doesn't allow for data transfer.

lazydog · 08-24-2016, 01:38 PM

Are you using a STATEFUL firewall or a STATELESS?

If you are using a STATEFUL firewall then my rules should work if you follow them 100%. This includes loading the FTP module also as I have stated.

If you are using STATELESS then you should follow JJJCR's comment as that is the setup for that type of firewall deployment.

Would it be possible for you to post your firewall rules?

gly · 08-24-2016, 01:49 PM

@lazydog
the requirement is simple. The firewall will pull files using ftp from an IP and post files to another two IPs.These are done via scripts(automating it via crond). Along with these ftp get and put policy, the server may take telnet to another 2-3 locations. That's it . no other inbound and outbound policies allowed. Can u kindly suggests the complete command list for achieving this?

lazydog · 08-24-2016, 02:35 PM

Really.... REALLY??

You are leaving out a good part of the DETAILS that we would require to give you EXACTLY the commands you need to run. While your requirements are simple we gave you simply ways to complete what you are trying to do as we did not get the details we would require.

Now the time has come for you to step up to the plate and hit a home run for the team. We have given you everything we can without knowing the simple details we need to know. You need to look at your system and decide which set of instruction will work best for your setup and deploy them.

Without knowing what type of firewall you have deployed we have no idea which set of instruction will work best for you.