Use iptables to secure active ftp, what range of ports
What range of ports must a client secure in a FW for active ftp client?
I'm new to working with Iptables and am trying to secure a system with it. I'm quite happy with what I've gotten to work so far but we have a piece of java code that does an active FTP. The active FTP seems to move around using different ports to connect to. Is there a known range? Right now I'm just guessing and each time I guess it just picks a port not in the range I guessed. OH bother. :scratch: FYI I am only using Iptables to block incoming ports not outgoing. I thought just opening port 21 wasn't going to be enough, and it isn't. This is rather frustrating. Side note, can I add an accept rule for all ports on a specific IP address in Iptables? For all your help Thank you. |
normal FTP uses TCP ports 20 and 21
sftp uses port TCP 22 give that a try... |
To allow a specific IP address, something like:
/sbin/iptables -I INPUT -s 11.22.33.44 -j ACCEPT should work. Note that there are ways to spoof an IP address, so this is not necessarily a very secure thing to do. |
Thanks for the help on the IP address it works great.
|
How about
Code:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT Code:
In /etc/sysconfig/iptables-config Code:
ldd /usr/sbin/vsftpd | grep libwrap Code:
In etc/hosts.allow: |
Way to cool and it works as well. :D
Does it matter on the order of the lines. Can I put the line iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT first? I tried putting this line as one of the first lines and hoped it would work for all established and related connections. I'm asking because I have other protocols that do the same and was wondering if I have to put that line in for each one or just one at the beginning. Thank you. |
You can put that line first, it should not matter.
iptables looks at the first line first, and if it is a match for the present packet/connection, then the jump at the end of the line is performed (for example, ACCEPT or DROP). If the first line does not match, the next line is tried, and so on. As soon as you have a match, no more lines in the present chain are executed, the jump is performed. Also, since a specific protocol is not identified, it should apply to all protocols that can become RELATED, ESTABLISHED. |
The part I was missing was the ip_conntrack_ftp in the config file. as soon as I added that everything worked as I expected.
Yea :D Thanks |
All times are GMT -5. The time now is 08:08 AM. |