-   Linux - Security (
-   -   Use iptables to secure active ftp, what range of ports (

thllgo 03-11-2009 07:11 PM

Use iptables to secure active ftp, what range of ports
What range of ports must a client secure in a FW for active ftp client?

I'm new to working with Iptables and am trying to secure a system with it. I'm quite happy with what I've gotten to work so far but we have a piece of java code that does an active FTP. The active FTP seems to move around using different ports to connect to. Is there a known range? Right now I'm just guessing and each time I guess it just picks a port not in the range I guessed. OH bother. :scratch:

FYI I am only using Iptables to block incoming ports not outgoing.

I thought just opening port 21 wasn't going to be enough, and it isn't.
This is rather frustrating.

Side note, can I add an accept rule for all ports on a specific IP address in Iptables?

For all your help
Thank you.

watcher69b 03-11-2009 08:33 PM

normal FTP uses TCP ports 20 and 21
sftp uses port TCP 22

give that a try...

jeff_k 03-12-2009 12:42 AM

To allow a specific IP address, something like:
/sbin/iptables -I INPUT -s -j ACCEPT
should work. Note that there are ways to spoof an IP address, so this is not necessarily a very secure thing to do.

thllgo 03-12-2009 06:41 PM

Thanks for the help on the IP address it works great.

chrism01 03-20-2009 03:32 AM

How about

  iptables -A INPUT -p tcp --dport 21 -j ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


In /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"



ldd /usr/sbin/vsftpd | grep libwrap => /usr/lib64/ (0x00002aaaaaf0f000)

which means you can use tcp_wrappers ie

In etc/hosts.allow:


thllgo 03-20-2009 03:52 PM

Way to cool and it works as well. :D
Does it matter on the order of the lines. Can I put the line

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

first? I tried putting this line as one of the first lines and hoped it would work for all established and related connections. I'm asking because I have other protocols that do the same and was wondering if I have to put that line in for each one or just one at the beginning.

Thank you.

jeff_k 03-21-2009 07:15 PM

You can put that line first, it should not matter.
iptables looks at the first line first, and if it is a match for the present packet/connection, then the jump at the end of the line is performed (for example, ACCEPT or DROP). If the first line does not match, the next line is tried, and so on. As soon as you have a match, no more lines in the present chain are executed, the jump is performed. Also, since a specific protocol is not identified, it should apply to all protocols that can become RELATED, ESTABLISHED.

thllgo 03-23-2009 06:21 PM

The part I was missing was the ip_conntrack_ftp in the config file. as soon as I added that everything worked as I expected.

Yea :D


All times are GMT -5. The time now is 09:45 PM.