[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: working ftp-rules with iptables

On Tue, May 08, 2007 at 02:11:33PM +0200, Franck Joncourt wrote:
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

As a host based filter i would not use RELATED (and maybe not established)
at all. You should limit FTP-Servers Data-port bind range and allow that,
for the ftp user.

Limit ftp-bounce connections (no outgoing ftp data to a priveledged port)
and then you are fine.

  (OO)     -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
 ( .. )    ecki@{inka.de,linux.de,debian.org}  http://www.eckes.org/
  o--o   1024D/E383CD7E  eckes@IRCNet  v:+497211603874  f:+49721151516129
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!

Reply to: