Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables-ftp
Top Forums UNIX for Dummies Questions & Answers iptables-ftp Post 302554717 by ktb231 on Monday 12th of September 2011 08:49:43 PM
Old 09-12-2011
Thanks DG.

The client is on the outside. Yes I did try passive. I redid my firewall a little. I need to do some reading on the higher port rule you mentioned. I keep considering port 22 ftp because I do web design for a living and my hosting company uses what they call sftp on port 22, it's not technically ftp. Question on the first part of my firewall which if understand right is deny all then open what I need. If I put DROP in the OUTPUT under the filter, I have the local ftp problem, with ACCEPT it works. Everything else works either way. I am assuming that's where I need some understanding on exactly where things are moving around and set up the higher port rule. How unsecure is it if I leave the ACCEPT there? I have a home network with a bunch of vm clients and servers set up for me to experiment with but like have the web server and ftp to the outside world so I can grab files when I need them and test things with out having to log into my hosing company's servers.

Code:
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOG_DROP - [0:0]
#:LOG_ACCEPT - [0:0]
:icmp_packets - [0:0]

# Allow traffic already established to continue

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow web services

-A INPUT -p tcp --dport ssh -j ACCEPT
-A INPUT -p tcp --dport domain -j ACCEPT
-A INPUT -p tcp --dport ftp -j ACCEPT
-A INPUT -p udp --dport ftp -j ACCEPT
-A INPUT -p tcp --dport ftp-data -j ACCEPT
-A INPUT -p udp --dport ftp-data -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 465 -j ACCEPT
-A INPUT -p tcp --dport 110 -j ACCEPT
-A INPUT -p tcp --dport 137:139 -j ACCEPT
-A INPUT -p udp --dport 137:139 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 585 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp --dport 995 -j ACCEPT
-A INPUT -p tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp --dport 8181 -j ACCEPT



# Allow local loopback services

-A INPUT -i lo -j ACCEPT

# Allow OUTPUT

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport ssh -j ACCEPT
-A OUTPUT -p tcp --dport domain -j ACCEPT
-A OUTPUT -p tcp --dport ftp -j ACCEPT
-A OUTPUT -p udp --dport ftp -j ACCEPT
-A OUTPUT -p tcp --dport ftp-data -j ACCEPT
-A OUTPUT -p udp --dport ftp-data -j ACCEPT
-A OUTPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp --dport 110 -j ACCEPT
-A OUTPUT -p tcp --dport 137:139 -j ACCEPT
-A OUTPUT -p udp --dport 137:139 -j ACCEPT
-A OUTPUT -p tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp --dport 585 -j ACCEPT
-A OUTPUT -p tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp --dport 995 -j ACCEPT
-A OUTPUT -p tcp --dport 8080 -j ACCEPT
-A OUTPUT -p tcp --dport 8181 -j ACCEPT

# Allow everything from home
-A INPUT -p all -s 192.168.0.1/24 -j ACCEPT


# Allow pings

-I INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-I INPUT -p icmp --icmp-type source-quench -j ACCEPT
-I INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A icmp_packets -s 192.168.0.170 -p icmp -m icmp --icmp-type 8 -j ACCEPT
#-A icmp_packets -s 192.168.0.197 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
COMMIT

 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

iptables, ftp

I have allready opened a thread about this, but my question was really weird formed, so I'm writting it here again: I have a Network with 4 FTP Servers, then a firewall, and then a Network with clients. The clients should have access to the FTP Servers, but it should not be possible to connect... (2 Replies)
Discussion started by: sTorm
2 Replies

2. Cybersecurity

iptables: block/allow ftp

I have 2 LAN's, seperated by a firewall, running iptables on it. I want only allow ftp access from one to the other LAN. Server 1 in LAN 1 should have ftp access to Server 2 in LAN 2 Server 2 in LAN 2 should not have ftp access to Server 1 in LAN 1. Can someone tell me how to set up the... (5 Replies)
Discussion started by: sTorm
5 Replies

3. IP Networking

Ftp'ing thru a Iptables NAT Masquerade

Greetings to all. My new firewall is giving me one hell of a problem. I'm running iptables and masquerading my intranet thru NAT. But here is the problem. Whenever I try to FTP to a server outside of my lan I get a 500 illegal port error. I've come to the conclusion that NAT is... (2 Replies)
Discussion started by: phrater
2 Replies

4. UNIX for Advanced & Expert Users

Using FTP to check whether file is completely FTP... plz find the description below

Hi, We have some clients who will place huge files in to one of the remote server. And the shell script written in our local server to retrieve client files (using FTP) placed on one of the remote server of ours by clients. My question Is there any FTP command/script to check from my local... (1 Reply)
Discussion started by: nmsrao
1 Replies

5. Shell Programming and Scripting

Automated FTP script using .netrc to multiple FTP servers

Hi all, I'm using the following script to automated ftp files to 1 ftp servers host=192.168.0.1 /usr/bin/ftp -vi >> $bkplog 2>&1 <<ftp open $host bin cd ${directory} put $files quit ftp and the .netrc file contain machine 192.168.0.1 login abc... (4 Replies)
Discussion started by: varu0612
4 Replies

6. Shell Programming and Scripting

Block incoming traffic FTP from internet using iptables

Hi everybody. I have the next scenary: eth0: WAN eth1: DMZ eth2: LAN I need to block all incoming trafic from the internet through my network LAN using iptables. I have squid but i need to do this using ipatbles. I have been listening about iptables -A FORDAWARD but I am stuck right... (0 Replies)
Discussion started by: edeamat
0 Replies

7. Red Hat

iptables ftp denies ls

Hi, Following is the output of iptables -S command -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s 192.168.0.5/32 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.0.5/32 -p udp -m udp --dport 22 -j ACCEPT -A INPUT -s 192.168.0.0/24 -p udp -m udp --dport 20 -j... (3 Replies)
Discussion started by: shahdharmit
3 Replies

8. HP-UX

[Solved] Unable to rename file in ftp server .Net:FTP perl

Hello All, I am trying to connect to ftp server and get the files. Also i need to rename the file in other ftp dir. rename method is not allowing me to rename the file in other dir. When i tried copy command by using net::FTP:FILE then perl says it is not installed. Can some body help me to... (2 Replies)
Discussion started by: krsnadasa
2 Replies

9. IP Networking

vsftp | active and passive ftp | iptables

I am using vsftp but I can't login with passive mode. I can only login with active mode. I can login with both mode when service of iptables is stop. In active mode : 20,21 must be open from server site. 1023 and over must be open at client site. In passive mode : only 21,1023 and over must be... (1 Reply)
Discussion started by: getrue
1 Replies

10. IP Networking

iptables problem with ftp

I have a pretty stock iptables script. One rule allows active ftp from an outside IP address. To troubleshoot it, I opened up ftp to all connections from the outside. When a user outside our domain connects via FTP, they are denied. If I flush the rules, the ftp takes place successfully. This... (2 Replies)
Discussion started by: bricoleur
2 Replies

LEARN ABOUT SUNOS

ftp

ftp(4)								   File Formats 							    ftp(4)

NAME

       ftp - FTP client configuration file

SYNOPSIS

       /etc/default/ftp

DESCRIPTION

       Use  the ftp file to configure the behavior of the FTP client. Lines that begin with a hash symbol ("# ") are treated as comment  lines and
       are ignored.

   Behavior Directives
       The ftp file supports the following behavior directives:

       FTP_LS_SENDS_NLST=yes | no

	   The ls command of the ftp client sends an NLST to the FTP Server by default. Several non-Solaris clients send LIST instead. In order to
	   make the Solaris ftp client send LIST when the ls command is issued, set FTP_LS_SENDS_NLST to no. The value of FTP_LS_SENDS_NLST is yes
	   by default.

       If the user sets a value for FTP_LS_SENDS_NLST in the user's environment, this value will override any FTP_LS_SENDS_NLST directive that	is
       specified in /etc/default/ftp.

ATTRIBUTES

       See attributes(5)  for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |SUNWbipr			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       ftp(1), attributes(5)

SunOS 5.10							    22 Oct 2002 							    ftp(4)
All times are GMT -4. The time now is 06:00 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy