Re: working ftp-rules with iptables
Am Dienstag, 8. Mai 2007 schrieb Franck Joncourt:
> On Tue, May 08, 2007 at 01:14:18PM +0200, Lutz Feldgen wrote:
> > On Tue, May 08, 2007 at 07:47:48AM +0200, Lutz Feldgen wrote:
> > >>I try to get the following working with iptables:
> > >>
> > >>incoming ftp (passive or active)
> > >>outgoing ftp (to single special ftp-server)
> > >>apt-get
> > >>
> > >>Can anybody help me with this, its driving me mad...
> > >
> > >First of all, what do you really want ? Running a ftp server on your own
> > >computer or being able to access external ftp server, or perhaps both.
> > >
> > >Have a look at those two pictures in order to see the differences
> > > between active and passive mode (french link but it does not matter) :
> > >
> > >http://smhteam.info/wiki/index.linux.php5?wiki=DiagrammesFtp
> > >
> > >What rules have you tried to run by now ?
> > thanks for the quick answer and sorry for the incomplete description.
> > Right now I cannot fetch the used ruleset from the server but my
> > intention is to keep it as secure for my server as possible.
> > I want to run an ftp-server to give the possibility to upload something
> > but also need access to an external ftp-server for backups. At least
> > apt-get should find a way to fetch packets through the firewall. The
> > decision whether to run active or passive on my own ftp-server depends
> > on the security level of the underlying ruleset.
> About your ftp-server, I would choose passive mode as you do not
> initiate data connexion, the client do it on an unprivileged port.
> Anyway here is some piece of code (just an example):
> I assume your default policy is DROP for INPUT and OUTPUT chains.
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> # Deal with your own ftp server
> You have to allow NEW incoming connexions from the client on port 21:
> iptables -A INPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
> # Deal with external ftp servers
> About apt you have to allow outgoing connexions to the external servers
> on port 21
> iptables -A OUTPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
> And do not forget to make sure ip_conntrack_ftp module is loaded.
> It should work ! I did not give it a try.
> Once it works, you can start thinking about security.
maybe you should add --dest <serveraddress> to the output rules to access only
the wanted ftp server(s)
for apt-get you can use ftp or http so it should work as easy as the rest