ipchains Syntax for FTP Ports

ifm · 06-10-2002, 06:24 PM

Could someone be so helpful as type out the proper IPCHAINS command line for doing the two required additions to the firewall chains mentioned in the following pulled from the PureFTPD FAQ:

"First, you have to open port 21 TO the FTP server. You also have to allow
connections FROM (not to) port 20 (of the FTP server) to everywhere."

"Then, open some ports TO the FTP server. These ports should be > 1023."

The ports I will be allowing will be 20000 to 30000 for pasv mode. I'm fairly new to ipchains, so I am not clear by the aboves statements in regards to "TO" and "FROM" ... as there are no references to that terminology in the MAN pages for ipchains.

Thanks for any help.

sewer_monkey · 06-11-2002, 08:14 PM

OK, this is off the top of my head, so you'll probably have to do some researching/debugging... oh well, here goes:

Code:

ipchains -A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
ipchains -A input -s 0/0 -d 0/0 20000:30000 -p tcp -y -j ACCEPT
ipchains -A output -s 0/0 20 -d 0/0 -p tcp -j ACCEPT

Basically, from what I can remember, ipchains creates two (for our purposes) chains, input and output. Every packet has to pass through the chain of rules, incoming packets through the input chain, and outgoing packets through the output chain.

So, line number 1 above, says add (-A) a new rule to the input chain (input), where source packets from anywhere (-s 0/0) aimed at any of our IP address(es) with port 21 (-d 0/0 21) using the TCP protocol (-p tcp) should be accepted (ACCEPT).

Line number 2 says, add (-A) a new rule to the input chain (input), where source packets from anywhere (-s 0/0) aimed at any of our IP address(es) with ports ranging from 20000 to 30000 (-d 0/0 20000:30000) using the TCP protocol (-p tcp) should be accepted (ACCEPT).

Line number 3 says, add (-A) a new rule to the output chain of rules (output) where any packet from any IP address originating from port 20 (-s 0/0 20) aimed at any of our IP address(es) with any port(s) (-d 0/0) using the TCP protocol (-p tcp) should be accepted (ACCEPT).

The -y packet makes sure that input packets are actually targeted and affected by this rule (if I included it in line 3, then it wouldn't work), and the -j flag makes the rule actually filter packets, instead of serving as a "counter" for this type of a packet...

Again, as I said above, I am quite rusty with ipchains, and this should be a starting point for you. I suggest you check out the IPChains HOWTO once again. And my advice to you, with the way things are going, you might as well switch to iptables, as it's the newer firewall tool that comes with the 2.4 linux kernels.

If you are not very comfortable using ipchains/iptables directly, then gShield should be a nice starting point for you. It's a front-end for iptables that works quite nice.