Re: iptables and ftp
On 2008-06-30 Sathyainkara Balendra wrote:
> I have following settings, but i dont get a ftp connection.
>
> #FTP-TABLE incomplete
>
> ##################################################################
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [0:0]
>
> ##################################################################
>
> #if following line is set it works, but i want a secure connection
> #only too that server
> #-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
>
> #Allow Ftp
> -N USER_FTP
> -A INPUT -p tcp -m tcp --dport 1:65000 --syn -j USER_FTP
> -A USER_FTP -s 212.74.114.60/21 -j ACCEPT
> -A USER_FTP -s 212.74.114.60/20 -j ACCEPT
If I'm interpreting your ruleset correctly, you want to allow outbound
FTP to just one particular FTP server. You got your notation wrong
there, BTW. The part after the slash in the argument of the -s option is
a netmask, not a port. You specify ports with the --sport option.
----8<----
# NOTE: This rule snippet doesn't take care of anything else than FTP!
# You'll need rules for DNS and whatever else you want to allow in
# addition to this.
modprobe ip_conntrack_ftp
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 212.74.114.60 --dport 21 \
-m state --state NEW -j ACCEPT
---->8----
If you want to do yourself a favor: learn how FTP works before trying to
handle FTP connections.
http://slacksite.com/other/ftp.html
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply to:
- References:
- iptables and ftp
- From: Sathyainkara Balendra <sathyainkara.balendra@yahoo.co.uk>