[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: working ftp-rules with iptables

On Tue, May 08, 2007 at 01:14:18PM +0200, Lutz Feldgen wrote:
> On Tue, May 08, 2007 at 07:47:48AM +0200, Lutz Feldgen wrote:
> >  
> >>I try to get the following working with iptables:
> >>
> >>incoming ftp (passive or active)
> >>outgoing ftp (to single special ftp-server)
> >>apt-get
> >>
> >>Can anybody help me with this, its driving me mad...
> >>    
> >
> >First of all, what do you really want ? Running a ftp server on your own
> >computer or being able to access external ftp server, or perhaps both.
> >
> >Have a look at those two pictures in order to see the differences between
> >active and passive mode (french link but it does not matter) :
> >
> >http://smhteam.info/wiki/index.linux.php5?wiki=DiagrammesFtp
> >
> >What rules have you tried to run by now ?
> >  
> thanks for the quick answer and sorry for the incomplete description. 
> Right now I cannot fetch the used ruleset from the server but my 
> intention is to keep it as secure for my server as possible.
> I want to run an ftp-server to give the possibility to upload something 
> but also need access to an external ftp-server for backups. At least 
> apt-get should find a way to fetch packets through the firewall. The 
> decision whether to run active or passive on my own ftp-server depends 
> on the security level of the underlying ruleset.

About your ftp-server, I would choose passive mode as you do not
initiate data connexion, the client do it on an unprivileged port.

Anyway here is some piece of code (just an example):

I assume your default policy is DROP for INPUT and OUTPUT chains.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Deal with your own ftp server
You have to allow NEW incoming connexions from the client on port 21:
iptables -A INPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT

# Deal with external ftp servers
About apt you have to allow outgoing connexions to the external servers
on port 21
iptables -A OUTPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT

And do not forget to make sure ip_conntrack_ftp module is loaded.

It should work ! I did not give it a try.

Once it works, you can start thinking about security.

Franck Joncourt
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE

Attachment: signature.asc
Description: Digital signature

Reply to: