FTP port in the server

Linux For Ever · 11-10-2007, 01:55 PM

Hi all.

I've old pc with slackware 12, and i want to make some security testing (iptables). i can use ssh and samba, but i can't use ftp and nfs.

i don't use tcp_wrappers.

here is my iptables rules:

#!/bin/bash
# Date: 3.Nov.2007

IPTABLES=/usr/sbin/iptables
LOCALNETWORK=192.168.1.0/24

$IPTABLES -F

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $LOCALNETWORK -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $LOCALNETWORK -m multiport --dport 21,22,139,445,2049 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LOCALNETWORK -m multiport --dport 21,22,137,138,2049 -j ACCEPT

if i flushed all rules and make the default policy is ACCEPT, i can use nfs and ftp.

can u help me?

rworkman · 11-10-2007, 03:49 PM

For ftp usage: modprobe ip_conntrack_ftp

For NFS usage: http://rlworkman.net/howtos/NFS_Firewall_HOWTO

Linux For Ever · 11-11-2007, 04:26 AM

Thank you rworkman.

ftp works fine, but clients (without any firewall rules) can't connect to mount NFS file exported in this machine.

look at my firewall rules after opening another ports.

#!/bin/bash
# Date: 3.Nov.2007

## load ip_conntrack_ftp module
/sbin/modprobe ip_conntrack_ftp

IPTABLES=/usr/sbin/iptables
LOCALNETWORK=192.168.1.0/24

$IPTABLES -F

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $LOCALNETWORK -j ACCEPT
## OpenSSH
$IPTABLES -A INPUT -p tcp -s $LOCALNETWORK --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LOCALNETWORK --dport 22 -j ACCEPT
## FTP
$IPTABLES -A INPUT -p tcp -s $LOCALNETWORK --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LOCALNETWORK --dport 21 -j ACCEPT
## SAMBA
$IPTABLES -A INPUT -p tcp -s $LOCALNETWORK -m multiport --dport 139,445 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LOCALNETWORK -m multiport --dport 137,138 -j ACCEPT
## NFS
$IPTABLES -A INPUT -p tcp -s $LOCALNETWORK -m multiport --dport 861,863,865,1110,2049,4045 -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LOCALNETWORK -m multiport --dport 861,863,865,1110,2049,4045 -j ACCEPT

there is another question.
How can i know what's port i need to open it to make service work? e.g samba need 139,445 on tcp and 137,138 on udp.

/etc/service show me a lot of port for NFS,SAMBA and so on.

Thank you.

Linux For Ever · 11-11-2007, 11:27 PM

any suggestion?
I'm waiting.....

rworkman · 11-11-2007, 11:42 PM

For NFS, you need to start the relevant services on both ends of the connection, and you'll need to refer to that other document I mentioned above; without more specific information on what you need, I don't know what other suggestions you might want.
Read the docs, try to implement what you need, and if you run into specific issues, then ask.