LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 06-10-2002, 06:24 PM   #1
ifm
Member
 
Registered: Jun 2002
Location: USA
Distribution: RH7.3 & YDL2.1
Posts: 124

Rep: Reputation: 15
Question ipchains Syntax for FTP Ports


Could someone be so helpful as type out the proper IPCHAINS command line for doing the two required additions to the firewall chains mentioned in the following pulled from the PureFTPD FAQ:

"First, you have to open port 21 TO the FTP server. You also have to allow
connections FROM (not to) port 20 (of the FTP server) to everywhere."

"Then, open some ports TO the FTP server. These ports should be > 1023."

The ports I will be allowing will be 20000 to 30000 for pasv mode. I'm fairly new to ipchains, so I am not clear by the aboves statements in regards to "TO" and "FROM" ... as there are no references to that terminology in the MAN pages for ipchains.

Thanks for any help.
 
Old 06-11-2002, 08:14 PM   #2
sewer_monkey
Member
 
Registered: May 2002
Location: Toronto, ON, Canada
Distribution: Ubuntu, Debian, RedHat/CentOS
Posts: 624

Rep: Reputation: 31
OK, this is off the top of my head, so you'll probably have to do some researching/debugging... oh well, here goes:
Code:
ipchains -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 20000:30000 -p tcp -y -j ACCEPT
ipchains -A output -s 0/0 20 -d 0/0 -p tcp -j ACCEPT
Basically, from what I can remember, ipchains creates two (for our purposes) chains, input and output. Every packet has to pass through the chain of rules, incoming packets through the input chain, and outgoing packets through the output chain.

So, line number 1 above, says add (-A) a new rule to the input chain (input), where source packets from anywhere (-s 0/0) aimed at any of our IP address(es) with port 21 (-d 0/0 21) using the TCP protocol (-p tcp) should be accepted (ACCEPT).

Line number 2 says, add (-A) a new rule to the input chain (input), where source packets from anywhere (-s 0/0) aimed at any of our IP address(es) with ports ranging from 20000 to 30000 (-d 0/0 20000:30000) using the TCP protocol (-p tcp) should be accepted (ACCEPT).

Line number 3 says, add (-A) a new rule to the output chain of rules (output) where any packet from any IP address originating from port 20 (-s 0/0 20) aimed at any of our IP address(es) with any port(s) (-d 0/0) using the TCP protocol (-p tcp) should be accepted (ACCEPT).

The -y packet makes sure that input packets are actually targeted and affected by this rule (if I included it in line 3, then it wouldn't work), and the -j flag makes the rule actually filter packets, instead of serving as a "counter" for this type of a packet...

Again, as I said above, I am quite rusty with ipchains, and this should be a starting point for you. I suggest you check out the IPChains HOWTO once again. And my advice to you, with the way things are going, you might as well switch to iptables, as it's the newer firewall tool that comes with the 2.4 linux kernels.

If you are not very comfortable using ipchains/iptables directly, then gShield should be a nice starting point for you. It's a front-end for iptables that works quite nice.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPChains & External Ports engnet Linux - Security 3 05-28-2003 04:02 AM
SuSE 7.2 Firewall (IPChains) Blocking Ports Led*Zep Linux - Networking 1 04-01-2003 02:06 AM
IPChains & UDP ports Sonicsone Linux - Networking 9 12-17-2002 01:48 PM
ipchains, ftp from client to non-ftp ports atari303 Linux - Networking 2 11-08-2002 02:43 AM
ipchains & blocked ports? jasonhbishop Linux - Networking 3 06-03-2002 08:43 PM


All times are GMT -5. The time now is 11:07 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration