Firewall ( iptables ) enabled for ftp ( active mode & passive mode ) problem
Bill Davidsen
davidsen at tmr.com
Tue Mar 30 22:30:28 UTC 2010
Edward. S. P. Leong wrote:
> Dear All,
>
> Mine is FC11 OS...
> So, how can we enable the firewall ( iptables ) for using ftp ( active
> mode & passive mode ) service ?
>
The easiest way is to enable it using the firewall configuration GUI.
If you insist on writing your own, use the LOG target to track what's happening,
or catch the packets to/from the ftp ports with tcpdump, write them to a file,
and inspect with wireshark (or just tcpdump). You probably want some LOG entries
in the tables, and may want a debug syslog log file defined to keep all your info.
> For the existing setting :
> iptables -F
> iptables -X
> iptables -F -t nat
> iptables -X -t nat
> iptables -F -t mangle
> iptables -X -t mangle
>
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t mangle -P PREROUTING ACCEPT
> iptables -t mangle -P POSTROUTING ACCEPT
> iptables -t mangle -P INPUT ACCEPT
> iptables -t mangle -P OUTPUT ACCEPT
> iptables -t mangle -P FORWARD ACCEPT
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> int="eth1"
> int_add="192.168.1.254"
> int_src="192.168.1.0/24"
> # Only allow users to use port 22 ( ssh services ) :
> iptables -A INPUT -i $int -p tcp --dport 22 -s $int_src -d $int_add -j
> ACCEPT
> # Only allow users to use port 20 & 21 ( ftp services ) :
> iptables -A INPUT -i $int -p tcp --dport 20 -s $int_src -d $int_add -j
> ACCEPT
> iptables -A INPUT -i $int -p tcp --dport 21 -s $int_src -d $int_add -j
> ACCEPT
> # ping ( ICMP )
> iptables -A INPUT -i $int -p icmp --icmp-type echo-request -s $int_src
> -d $int_add -j ACCEPT
>
> Problem of ftp client :
> connection timenout
>
> Thanks !
>
> Edward.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the users
mailing list