03-29-2002
Quote:
Originally posted by sTorm
For those who want to know, here is the iptables rule to block ftp connection requests from one side, and allow the request from the other:
# ftp control connection
iptables -A FORWARD -i eth1 -o eth0 -p TCP --sport 1024:65535 --dport ftp -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP ! --syn --sport ftp --dport 1024:65535 -j ACCEPT
! --syn
Means, there's no connection request. Therefore, the packet can continue it's way through the firewall.
Just in case somebody wants to know.
What should be done if I want to use passive mode? I think that these two lines above will not be sufficient
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I have allready opened a thread about this, but my question was really weird formed, so I'm writting it here again:
I have a Network with 4 FTP Servers, then a firewall, and then a Network with clients. The clients should have access to the FTP Servers, but it should not be possible to connect... (2 Replies)
Discussion started by: sTorm
2 Replies
2. Shell Programming and Scripting
I need help on the code below. I am getting a compile error
syntax error at line 283 : `<<' unmatched
Looks like it doesn't like the << on the ftp line below. If I ran the code outside of this block everything work fine, but when I put in a block of code or in a function, I got syntax error. I... (1 Reply)
Discussion started by: leemjesse
1 Replies
3. Solaris
Hi Friends,
I would like to block the root user for doing ftp. As I am aware that I need to put the entry for root in /etc/ftpusers.....am I right...??? But I am not able to edit the file & even more command is not working.
#ls -l ftp*
total 14
-rw-r--r-- 1 root sys 1249 Jun... (3 Replies)
Discussion started by: jumadhiya
3 Replies
4. UNIX for Dummies Questions & Answers
Could anyone provide information on how to block a specific client machine from being able to log onto anonymous ftp? (10 Replies)
Discussion started by: dennisheazle
10 Replies
5. Shell Programming and Scripting
Hi everybody. I have the next scenary:
eth0: WAN
eth1: DMZ
eth2: LAN
I need to block all incoming trafic from the internet through my network LAN using iptables. I have squid but i need to do this using ipatbles.
I have been listening about iptables -A FORDAWARD but I am stuck right... (0 Replies)
Discussion started by: edeamat
0 Replies
6. AIX
Hello everyone
I create a file /etc/ftpusers to block users. I put the names of the users and I refresh the service inetd.
My question is the user still log in by ftp.???? What I miss
Thanks for your opinions.
Greetings (2 Replies)
Discussion started by: lo-lp-kl
2 Replies
7. UNIX for Dummies Questions & Answers
I have set up a firewall on my centOS 5.6 box. I copied it from info I found online related to web servers. Everything seems to work fine but my ftp from my LAN. I am not able to ftp into the directories at all. I have the box set up as a test web server. Here is my iptable:
I have opened ports... (7 Replies)
Discussion started by: ktb231
7 Replies
8. Red Hat
Hi,
Following is the output of iptables -S command
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 192.168.0.5/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.5/32 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 20 -j... (3 Replies)
Discussion started by: shahdharmit
3 Replies
9. IP Networking
I am using vsftp but I can't login with passive mode. I can only login with active mode. I can login with both mode when service of iptables is stop.
In active mode : 20,21 must be open from server site. 1023 and over must be open at client site.
In passive mode : only 21,1023 and over must be... (1 Reply)
Discussion started by: getrue
1 Replies
10. IP Networking
I have a pretty stock iptables script. One rule allows active ftp from an outside IP address. To troubleshoot it, I opened up ftp to all connections from the outside.
When a user outside our domain connects via FTP, they are denied. If I flush the rules, the ftp takes place successfully. This... (2 Replies)
Discussion started by: bricoleur
2 Replies
Firewall mark classifier in tc(8) Linux Firewall mark classifier in tc(8)
NAME
fw - fwmark traffic control filter
SYNOPSIS
tc filter ... fw [ classid CLASSID ] [ action ACTION_SPEC ]
DESCRIPTION
the fw filter allows to classify packets based on a previously set fwmark by iptables. If it is identical to the filter's handle, the fil-
ter matches. iptables allows to mark single packets with the MARK target, or whole connections using CONNMARK. The benefit of using this
filter instead of doing the heavy-lifting with tc itself is that on one hand it might be convenient to keep packet filtering and classifi-
cation in one place, possibly having to match a packet just once, and on the other users familiar with iptables but not tc will have a less
hard time adding QoS to their setups.
OPTIONS
classid CLASSID
Push matching packets to the class identified by CLASSID.
action ACTION_SPEC
Apply an action from the generic actions framework on matching packets.
EXAMPLES
Take e.g. the following tc filter statement:
tc filter add ... handle 6 fw classid 1:1
will match if the packet's fwmark value is 6. This is a sample iptables statement marking packets coming in on eth0:
iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 6
SEE ALSO
tc(8), iptables(8), iptables-extensions(8)
iproute2 21 Oct 2015 Firewall mark classifier in tc(8)