Edward. S. P. Leong wrote:
Dear All,
Mine is FC11 OS...
So, how can we enable the firewall ( iptables ) for using ftp ( active
mode & passive mode ) service ?
The easiest way is to enable it using the firewall configuration GUI.
If you insist on writing your own, use the LOG target to track what's happening,
or catch the packets to/from the ftp ports with tcpdump, write them to a file,
and inspect with wireshark (or just tcpdump). You probably want some LOG entries
in the tables, and may want a debug syslog log file defined to keep all your info.
For the existing setting :
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
int="eth1"
int_add="192.168.1.254"
int_src="192.168.1.0/24"
# Only allow users to use port 22 ( ssh services ) :
iptables -A INPUT -i $int -p tcp --dport 22 -s $int_src -d $int_add -j
ACCEPT
# Only allow users to use port 20 & 21 ( ftp services ) :
iptables -A INPUT -i $int -p tcp --dport 20 -s $int_src -d $int_add -j
ACCEPT
iptables -A INPUT -i $int -p tcp --dport 21 -s $int_src -d $int_add -j
ACCEPT
# ping ( ICMP )
iptables -A INPUT -i $int -p icmp --icmp-type echo-request -s $int_src
-d $int_add -j ACCEPT
Problem of ftp client :
connection timenout
Thanks !
Edward.
--
Bill Davidsen <davidsen(a)tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot