LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Iptables and FTP (https://www.linuxquestions.org/questions/linux-networking-3/iptables-and-ftp-586086/)

aq_mishu 09-20-2007 10:53 AM
Iptables and FTP
 
Quote:
[root@localhost root]# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
56 3716 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 80,443,21,22
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
1 67 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- eth0 * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth0 * 172.16.0.0/12 0.0.0.0/0
0 0 DROP all -- eth0 * 192.168.0.0/16 0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 1 packets, 364 bytes)
pkts bytes target prot opt in out source destination
41 6481 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 231 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW multiport dports 25,80,443,22
0 0 ACCEPT icmp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW icmp type 8
1 67 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
[root@localhost root]#
And my script is...

Quote:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
# Allow input that has been established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allowing all outpus those are estublished and related
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow DNS query input from others (since it is a DNS server)
iptables -A INPUT -p UDP -i eth0 --dport 53 -m state --state NEW -j ACCEPT
# Allow the box to query to other DNS servers.(Since it is also a DNS client)
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT
# Allow specific services to input. They are http, https, ftp, ssh
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 80,443,21,22 -m state --state NEW -j ACCEPT
# Allow to query on some ports from this host. They are http, https, smtp, ssh
iptables -A OUTPUT -p TCP -o eth0 -m multiport --dports 25,80,443,22 -m state --state NEW -j ACCEPT
# Allow to ping the box
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow to respond to ping requests
iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow loopback input
iptables -A INPUT -i lo -j ACCEPT
# Allow output to loopback
iptables -A OUTPUT -o lo -j ACCEPT
# Do some checks for obviously spoofed IP's
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
# Saving and activating the new rules
service iptables save
service iptables restart
Now when i do a wget to some ftp site, the result is....

[root@localhost root]# wget ftp://202.65.194.212/cn/nic/r8168-8.003.00.tar.bz2
--21:53:49-- ftp://202.65.194.212/cn/nic/r8168-8.003.00.tar.bz2
=> `r8168-8.003.00.tar.bz2'
Connecting to 202.65.194.212:21...

And then nothing.... what minor change i need to do???

aq_mishu 09-20-2007 10:57 AM
solved.... i just added and the port and it beame

iptables -A OUTPUT -p TCP -o eth0 -m multiport --dports 25,80,443,21,22 -m state --state NEW -j ACCEPT

and then solved.... thankyou guys...!!!


All times are GMT -5. The time now is 09:23 AM.