Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
07-15-2013, 02:33 PM
|
#1
|
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Rep: 
|
making a simple iptables firewall for internal server, just looking for tips (and allowing ftp)
i've got a mail server behind a router with ports 25,465,587 & 993 open externally. i've decided to make a simple firewall that closes off everything, then opens up these ports plus 22 for ssh and ping from the local network.
/etc/iptables/iptables.rules
Code:
*filter
:INPUT DROP [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -s 172.16.0.0/16 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
COMMIT
anything else that might be pertinent to add? not sure if FORWARD needs anything added there
Last edited by psycroptic; 07-16-2013 at 02:32 PM.
|
|
|
|
|
07-15-2013, 03:09 PM
|
#2
|
|
Member
Registered: Jan 2013
Distribution: RHEL
Posts: 54
Rep: 
|
I'm not too familiar with iptables but you can group all the ports if you like, but I think it looks cleaner the way you have it.
|
|
|
|
|
07-15-2013, 06:37 PM
|
#3
|
|
Member
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407
Rep:
|
If the mail server is the only service running on this machine, you probably have all you need, except possibly a rule to prevent forwarding
Code:
:FORWARD DROP [0:0]
Other common services that you might want to have universally accessible are DNS (UDP port 53), and maybe HTTPD (port 80 and maybe 443 [SSL]). |
|
|
1 members found this post helpful.
|
|
07-15-2013, 08:51 PM
|
#4
|
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
good stuff. i've been trying to work out getting active FTP through iptables as the next thing.
|
|
|
|
|
07-15-2013, 09:53 PM
|
#5
|
|
Member
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407
Rep:
|
It looks like this is a common problem: you only need to add these rules:
Code:
-A INPUT -p TCP -dport 21 -j ACCEPT
-A INPUT -p TCP -m helper --helper ftp -j ACCEPT
The phrase -m helper --helper ftp takes care of the fact that FTP uses two destination ports (21 & 20), and lets both through your firewall. |
|
|
|
|
07-15-2013, 10:20 PM
|
#6
|
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Quote:
Originally Posted by dkm999
It looks like this is a common problem: you only need to add these rules:
Code:
-A INPUT -p TCP -dport 21 -j ACCEPT
-A INPUT -p TCP -m helper --helper ftp -j ACCEPT
The phrase -m helper --helper ftp takes care of the fact that FTP uses two destination ports (21 & 20), and lets both through your firewall. |
yeah i added those, i still can't access the FTP server. even worse, Proftpd (the server i'm using) logs a successful login/chdir from my own machine, even though i definitely CANNOT access ftp with iptables running.... |
|
|
|
|
07-15-2013, 10:27 PM
|
#7
|
|
Member
Registered: Nov 2006
Location: Seattle, WA
Distribution: Fedora
Posts: 407
Rep:
|
If Proftpd logs the connection and chdir, then the problem is not with the first iptables rule, at least (port 21). Those operations all occur over port 21, the control port. The problem may be elsewhere. Are you getting any packets counted on the second rule ( -m helper --helper ftp)? You can see how many packets matched this rule using the command
. |
|
|
|
|
07-15-2013, 10:31 PM
|
#8
|
|
Member
Registered: Aug 2011
Location: USA
Distribution: ArchLinux - 3.0 kernel
Posts: 349
Original Poster
Rep:
|
Actually, I hadn't loaded the "ip_conntrack_ftp" kernel module, which (apparently) is both necessary and not always loaded. Doing that enabled access.
Thanks for the help.
|
|
|
1 members found this post helpful.
|
All times are GMT -5. The time now is 03:43 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
