Re: iptables and ftp

To: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
Cc: debian-firewall@lists.debian.org
Subject: Re: iptables and ftp
From: Mark Chong <mark@stabat.com>
Date: Tue, 01 Jul 2008 10:03:03 +1000
Message-id: <[🔎] 48697437.1060804@stabat.com>
In-reply-to: <20080630140842.GA23587@mail.planetcobalt.net>
References: <972812.96441.qm@web28203.mail.ukl.yahoo.com> <20080630140842.GA23587@mail.planetcobalt.net>

Be very skeptically of something you are unsure off, if something existsassume its insecure unless you know otherwise. When you say you want a'secure' connection allowing only one IP to connect to you or for you toconnect to (not sure which you want) then your connection is stillvulnerable to ease dropping. If you want something secure then you needto look at other protocols such as ssh/sftp or ftp over ssl.

Also whilst ansgars config will do what he thinks you are trying toachive if you were to use them verbatim your machine wouldn't even beable to make dns requests.

If you want to allow only outgoing ftp connections to a specific IP iwould suggest


iptables -A OUTPUT -p tcp --dport 21 -d ! 212.74.114.60 -j DROP


Ansgar -59cobalt- Wiechers wrote:

On 2008-06-30 Sathyainkara Balendra wrote:

I have following settings, but i dont get a ftp connection.

#FTP-TABLE incomplete

##################################################################
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

##################################################################

#if following line is set it works, but i want a secure connection
#only too that server
#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


#Allow Ftp
-N USER_FTP
-A INPUT -p tcp -m tcp --dport 1:65000 --syn -j USER_FTP
-A USER_FTP -s 212.74.114.60/21 -j ACCEPT
-A USER_FTP -s 212.74.114.60/20 -j ACCEPT


If I'm interpreting your ruleset correctly, you want to allow outbound
FTP to just one particular FTP server. You got your notation wrong
there, BTW. The part after the slash in the argument of the -s option is
a netmask, not a port. You specify ports with the --sport option.

----8<----
# NOTE: This rule snippet doesn't take care of anything else than FTP!
#       You'll need rules for DNS and whatever else you want to allow in
#       addition to this.

modprobe ip_conntrack_ftp

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 212.74.114.60 --dport 21 \
  -m state --state NEW -j ACCEPT
---->8----

If you want to do yourself a favor: learn how FTP works before trying to
handle FTP connections.

http://slacksite.com/other/ftp.html

Regards
Ansgar Wiechers

Reply to:

Follow-Ups:
- Re: iptables and ftp
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>

Next by Date: Re: iptables and ftp
Next by thread: Re: iptables and ftp
Index(es):
- Date
- Thread