Re: working ftp-rules with iptables

To: debian-firewall@lists.debian.org
Subject: Re: working ftp-rules with iptables
From: robert buchinger <robert_buchinger@gmx.at>
Date: Tue, 8 May 2007 14:27:40 +0200
Message-id: <200705081427.40155.robert_buchinger@gmx.at>
In-reply-to: <20070508121133.GB22200@toystory.lan>
References: <1178603268.7833.2.camel@emma.gruenewiese.de> <46405B8A.6090804@gmx.de> <20070508121133.GB22200@toystory.lan>

Am Dienstag, 8. Mai 2007 schrieb Franck Joncourt:
> On Tue, May 08, 2007 at 01:14:18PM +0200, Lutz Feldgen wrote:
> > On Tue, May 08, 2007 at 07:47:48AM +0200, Lutz Feldgen wrote:
> > >>I try to get the following working with iptables:
> > >>
> > >>incoming ftp (passive or active)
> > >>outgoing ftp (to single special ftp-server)
> > >>apt-get
> > >>
> > >>Can anybody help me with this, its driving me mad...
> > >
> > >First of all, what do you really want ? Running a ftp server on your own
> > >computer or being able to access external ftp server, or perhaps both.
> > >
> > >Have a look at those two pictures in order to see the differences
> > > between active and passive mode (french link but it does not matter) :
> > >
> > >http://smhteam.info/wiki/index.linux.php5?wiki=DiagrammesFtp
> > >
> > >What rules have you tried to run by now ?
> >
> > thanks for the quick answer and sorry for the incomplete description.
> > Right now I cannot fetch the used ruleset from the server but my
> > intention is to keep it as secure for my server as possible.
> > I want to run an ftp-server to give the possibility to upload something
> > but also need access to an external ftp-server for backups. At least
> > apt-get should find a way to fetch packets through the firewall. The
> > decision whether to run active or passive on my own ftp-server depends
> > on the security level of the underlying ruleset.
>
> About your ftp-server, I would choose passive mode as you do not
> initiate data connexion, the client do it on an unprivileged port.
>
> Anyway here is some piece of code (just an example):
>
> I assume your default policy is DROP for INPUT and OUTPUT chains.
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # Deal with your own ftp server
> You have to allow NEW incoming connexions from the client on port 21:
> iptables -A INPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
>
> # Deal with external ftp servers
> About apt you have to allow outgoing connexions to the external servers
> on port 21
> iptables -A OUTPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
>
> And do not forget to make sure ip_conntrack_ftp module is loaded.
>
> It should work ! I did not give it a try.
>
> Once it works, you can start thinking about security.

maybe you should add --dest <serveraddress> to the output rules to access only 
the wanted ftp server(s)

for apt-get you can use ftp or http so it should work as easy as the rest

Reply to:

References:
- working ftp-rules with iptables
  - From: Lutz Feldgen <lutz.feldgen@gmx.de>
- Re: working ftp-rules with iptables
  - From: Lutz Feldgen <lutz.feldgen@gmx.de>
- Re: working ftp-rules with iptables
  - From: Franck Joncourt <franck.joncourt@wanadoo.fr>

Prev by Date: Re: working ftp-rules with iptables
Next by Date: Re: BAndwidth
Previous by thread: Re: working ftp-rules with iptables
Next by thread: Re: working ftp-rules with iptables
Index(es):
- Date
- Thread