IPTABLES rules for active FTP
After much research and debugging, I finally have my firewall almost up and running. The one thing I am lacking at this point is proper functionality of the FTP service. When I ftp to the server, the connection (eventually) logs in, but it never recieves a proper file list from the server. I am using active FTP because that is what I need to get "around" my router-in-a-box. I have found the following rules from LinuxGuruz that are supposed to allow active ftp:
iptables -A INPUT -i eth0 -p tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A OUTPUT -o eth0 -p tcp --dport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT From what I have read, the first rule allows for new connection and data traffic on port 21. The second allows for traffic outbound from port 21. The third and fourth allow for connection related traffic on port 20. Policies for INPUt and OUTPUT chains are DROP. When the policy is changed to ACCEPT, the connections work fine but obviously, that does me little good. :) Tips/Thoughts are appreciated. |
you have to do
iptables -A INPUT -p tcp --dport ftp -j ACCEPT iptables -A INPUT -p tcp --dport ftp-data -j ACCEPT iptables -A INPUT -p ALL -i eth0 -m state --state \ ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT i think :) |
NEVER use these rules
just look at them:
iptables -A OUTPUT -o eth0 -p tcp --sport ftp -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport ftp-data -j ACCEPT all connections from source port 20 or 21 are accepted, no matter where they go. obviously, an attacker that has full control over the computer which he uses to attack you could choose to start his attack from one of these ports - your system is totally open to these attacks. modprobe ip_conntrack_ftp iptables -A INPUT -m helper --helper ftp -j ACCEPT is the correct way to deal with active ftp. heby |
Code:
/sbin/modprobe ip_conntrack_ftp |
Re: NEVER use these rules
Quote:
|
That's the real Linux spirit!
jlinkels |
[QUOTE=TruckStuff;1205747]Sheesh... he registers to respond to a post that is over two years old???
Why not! And somebody five years later finds an answer they're searching for! :) Cheers! |
mbshafer, thread resurrection isn't something we like to see happen here at LQ.
Please don't make a habit out of it. Closed. |
All times are GMT -5. The time now is 11:18 AM. |