Firewall HELP
Hey... I need some help setting up a firewall which will allow only specific ip's to access my ftp.
The ftp server is running of a windows 2000 machine. I'm forwarding a port from the linux box to the windows 2000 machine for the ftp service. Here's the code for the ftp forwarding: iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 654 -j DNAT --to-destination 192.168.0.2:21 I've tried using the hosts.allow and hosts.deny for this but it didn't work.. unless i did it wrong. Also the goal is to make it seem that the ftp doesn't exist when un-authorized users try to connect... ie: Connecting to 24.xxx.xxx.xxx Connection Failed Please help Thanks. |
have you tried ftp'ing with your firewall open (allow everything) to see if your port forwarding is working? you may need to add additional rules to make that happen. can you ftp from the linux box to the w2k server?
|
ftp is working with no problems at all... the only thing is I need to allow only a few users to access the site.
Right now the ftp is allowing who ever has the password and username to access the site. I tried doing: iptables -t nat -A PREROUTING -i eth0 -p TCP -s 24.101.208.98 --dport 654 -j ACCEPT and iptables -t nat -A PREROUTING -j DROP and then iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 654 -j DNAT --to-destination 192.168.0.2:21 meaning that anyone coming in with 24.101.208.98 ip will be accepted... anyone else the connection will drop but that didn't work it dropped all incoming connections to the ftp and didn't allow the user with the 24.101.208.98 ip to access. |
port number? --dport 21 perhaps?
|
why would it be 21?
the outside port which people use to connect to the ftp would be 654... whatever is coming in on 654 will be redirected to port 21... so what i need to do is stop unauthorized ips from getting in with port 654 |
but then again what your saying does make sense
whatever's coming in on 654 is destined to port 21 and those packets should be dropped |
Block it at the input rule.
The packets go prerouting then input. So you would have the rules. iptables -F iptables -X iptables -F -t nat iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -p igmp -j DROP iptables -t nat -A PREROUTING -i eth0 -p TCP --dport 654 -j DNAT --to-destination 192.168.0.2:21 iptables -A INPUT -i eth0 -p tcp -s 24.101.208.98 --sport 1024:65535 -d your_firewalls_ip_address --dport 654 -j ACCEPT iptables -A INPUT -p ALL -i eth1 -s 192.169.0.0/24 -j ACCEPT + you need to do the rest of the firewall rules to get other services working. /Raz |
All times are GMT -5. The time now is 03:25 AM. |