SUBJECT: iptables rules for an FTP server
I have just started using vsftpd and I want to see whether my firewall rules are good enough.
This topic is about firewalling. A second topic will follow where I request for comments (sic :P) on creating a secure but reasonable configuration for vsftpd. However, I want to give a complete picture of what I am trying to do, and so I am including vsftpd.conf and vsftpd.userlist.
I chose to enable passive mode so as to make it easier for the client to connect. One of my goals was to enable the Internet Explorer / Windows Explorer FTP client to work (some people don't even know how to install another FTP client) but as far as I understand the only compromise I had to do to enable the IE/Explorer client was to use passive mode. Which isn't a big compromise. Correct me if I am wrong about this.
I'd like you to take a look and tell me what you think. I have two main concerns:
1. I may have too broad rules.
2. I still don't know how I can add anti-DoS protection, meaning setting a limit on the connections an IP can do and how many IPs can connect at the same time.
I am grouping the rules by function (e.g.: enabling FTP client, enabling FTP server, etc). There are comments explaining my thoughts on some rules. Feel free to read them and give me feedback on anything you see.
Well, here it is!
# Sample firewall rules to see whether my ftp server rules are fine-tuned.
# Default policy for the three chains.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Flush (remove) all rules from default chains.
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
# Remove all custom chains.
# Allows input and output on loopback. From my experience, you will not feel
# the need to allow output on loopback if you don't use a Samba server.
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
iptables -A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
# Allow traffic for sessions which are already established. This
# is the idea of a statefull firewall.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH client.
# it appears that the SSH server rules are enough so this isn't needed
###iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
# FTP client.
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# Outgoing ICMP (ping).
### it stoped working, now I have a more broad rule (and potentially dangerous too) ### iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
# Outgoing Nmap.
iptables -A OUTPUT -m state --state INVALID,NEW -j ACCEPT
### i was supposed to have this line too but it works without it ### iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED,INVALID -j ACCEPT
# SSH server, only on LAN (10.0.0.0/16).
iptables -A INPUT -s 10.0.0.0/16 -d 10.0.0.0/16 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -s 10.0.0.0/16 -d 10.0.0.0/16 -p tcp --sport 22 -j ACCEPT
# FTP server.
# the 1024:65535 part may not be necessary because of nf_conntrack_ftp
iptables -A INPUT -p tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# Option added by me. Allows passive mode. I wanted to enable this due
# to IE/Explorer but now I see that IE/Explorer can connect without this
# enabled. Sometimes.
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# Uncomment this to allow local users to log in. This must be enabled for
# any non-anonymous login to work, including virtual users.
# Uncomment this to enable any form of FTP write command.
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
# Users cannot see the tree outside of their home directory. Added by me.
# Allow only specific users to use FTP. Added by me.
# Allow me to set /bin/false instead of a shell. Alternatively I could
# have added /bin/false in /etc/shells but this feels more right.
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
# Activate logging of uploads/downloads.
# Make sure PORT transfer connections originate from port 20 (ftp-data).
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# You may override where the log file goes if you like. The default is shown
# If you want, you can have your log file in standard ftpd xferlog format
# You may change the default value for timing out an idle session.
# You may change the default value for timing out a data connection.
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
# You may fully customise the login banner string:
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
# (default follows)
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (default follows)
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
# To run vsftpd in standalone mode (rather than through inetd), uncomment
# the line below.
# List of users allowed to use FTP. Read by vsftpd. Config file by me.