* Allowing FTP and internal but nothing else
@ 2004-03-03 16:55 Paul Harlow
2004-03-03 17:18 ` David Cannings
2004-03-03 17:20 ` Cedric Blancher
0 siblings, 2 replies; 5+ messages in thread
From: Paul Harlow @ 2004-03-03 16:55 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 858 bytes --]
I am new to IPTables and moderately experienced in Linux in general so
please forgive me if this is a noob question.
I have an FTP server that I would like to filter out all external
traffic except ftp and ftp-data. This same server has an internal
interface that I would like to allow everything on the inside to have
access to. Given what I've read I have come up with this general idea of
what to put into a filter table for now. Please let me know what your
gurus of netfilter think. Thanks!
iptables -I INPUT -i eth0 -j ACCEPT
iptables -I INPUT -i eth1 -d port 21 -j ACCEPT
iptables -I INPUT -i eth1 -d port 20 -j ACCEPT
iptables -I INPUT -i eth1 -j deny
I am assuming this is similar to Cisco access lists in that it will read
along the filter list until a hit is made then take action. Please
correct me if I am wrong.
TIA
[-- Attachment #2: Type: text/html, Size: 1883 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Allowing FTP and internal but nothing else
2004-03-03 16:55 Allowing FTP and internal but nothing else Paul Harlow
@ 2004-03-03 17:18 ` David Cannings
2004-03-03 17:24 ` Antony Stone
2004-03-03 17:20 ` Cedric Blancher
1 sibling, 1 reply; 5+ messages in thread
From: David Cannings @ 2004-03-03 17:18 UTC (permalink / raw)
To: netfilter
On Wednesday 03 March 2004 16:55, Paul Harlow wrote:
> I have an FTP server that I would like to filter out all external
> traffic except ftp and ftp-data. This same server has an internal
> interface that I would like to allow everything on the inside to have
> access to. Given what I've read I have come up with this general idea
> of what to put into a filter table for now. Please let me know what
> your gurus of netfilter think. Thanks!
I am no guru but here is my 2c.
> iptables -I INPUT -i eth0 -j ACCEPT
This would accept any packet coming in on eth0, this is fine as long as
you didn't want to be more restrictive about this interface.
> iptables -I INPUT -i eth1 -d port 21 -j ACCEPT
> iptables -I INPUT -i eth1 -d port 20 -j ACCEPT
Both should be "--dport", "-d" is destination, for hosts. You'd use -d
like this:
iptables -I INPUT -d 192.168.0.1 -j ACCEPT
Your rule above could be rewritten as:
iptables -I INPUT -i eth1 --dport 21 -j ACCEPT
> iptables -I INPUT -i eth1 -j deny
Note that "deny" isn't a valid target, unless you've definied your own
chain called "deny". From the manual page, the correct target would be
"DROP".
> I am assuming this is similar to Cisco access lists in that it will
> read along the filter list until a hit is made then take action. Please
> correct me if I am wrong.
iptables is "first match", yes. The first rule that matches a packet will
be the one that controls the fate of it. This can, however, include
jumping through other chains.
For FTP, you might like to look into the FTP connection tracking helpers.
Also, you may well need rules to allow established or related packets.
Hope this helps,
David
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Allowing FTP and internal but nothing else
2004-03-03 17:18 ` David Cannings
@ 2004-03-03 17:24 ` Antony Stone
0 siblings, 0 replies; 5+ messages in thread
From: Antony Stone @ 2004-03-03 17:24 UTC (permalink / raw)
To: netfilter
On Wednesday 03 March 2004 5:18 pm, David Cannings wrote:
> I am no guru but here is my 2c.
>
> > iptables -I INPUT -i eth0 -j ACCEPT
>
> This would accept any packet coming in on eth0, this is fine as long as
> you didn't want to be more restrictive about this interface.
>
> > iptables -I INPUT -i eth1 -d port 21 -j ACCEPT
> > iptables -I INPUT -i eth1 -d port 20 -j ACCEPT
>
> Both should be "--dport", "-d" is destination, for hosts. You'd use -d
> like this:
>
> iptables -I INPUT -d 192.168.0.1 -j ACCEPT
>
> Your rule above could be rewritten as:
>
> iptables -I INPUT -i eth1 --dport 21 -j ACCEPT
If you want to specify a port, you must first specify a protocol. Only TCP
and UDP use port numbers, therefore the protocol must be one of these.
FTP uses TCP, so what you actually want to specify is:
iptables -I INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
> For FTP, you might like to look into the FTP connection tracking helpers.
> Also, you may well need rules to allow established or related packets.
I agree.
Regards,
Antony.
--
Anything that improbable is effectively impossible.
- Murray Gell-Mann, Novel Prizewinner in Physics
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Allowing FTP and internal but nothing else
2004-03-03 16:55 Allowing FTP and internal but nothing else Paul Harlow
2004-03-03 17:18 ` David Cannings
@ 2004-03-03 17:20 ` Cedric Blancher
1 sibling, 0 replies; 5+ messages in thread
From: Cedric Blancher @ 2004-03-03 17:20 UTC (permalink / raw)
To: Paul Harlow; +Cc: netfilter
Le mer 03/03/2004 à 17:55, Paul Harlow a écrit :
> I have an FTP server that I would like to filter out all external
> traffic except ftp and ftp-data. This same server has an internal
> interface that I would like to allow everything on the inside to have
> access to. Given what I've read I have come up with this general idea
> of what to put into a filter table for now. Please let me know what
> your gurus of netfilter think.
I am not a guru, but I do think you should read docs... See
http://www.netfilter.org/ documentation section (HOWTOs and tutorials).
> iptables -I INPUT -i eth0 -j ACCEPT
> iptables -I INPUT -i eth1 -d port 21 -j ACCEPT
> iptables -I INPUT -i eth1 -d port 20 -j ACCEPT
> iptables -I INPUT -i eth1 -j deny
It won't work at all.
Firstly, -I inserts rule at top of chain. This the first rule for eth1
will be the "deny all" one (your last rule). So FTP won't work.
Secondly, your FTP description is nor exact nor functional. TCP/20 is
used as source by FTP server for active data transfert, so you do not
need to open it in INPUT. But for passive data transfert, you need to
open all unpriviledge ports range (1024:65535) to accept data connection
from client.
And thirdly, "deny" is not a valid target for iptables. You have to use
DROP.
Netfilter is stateful and can handle FTP using conntrack. So use it :
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 21 \
-j ACCEPT
This will be enough to handle the full FTP session.
To me, the full ruleset to achieve what you want should be :
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 21 \
--syn -j ACCEPT
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Allowing FTP and internal but nothing else
@ 2004-03-03 17:54 Paul Harlow
0 siblings, 0 replies; 5+ messages in thread
From: Paul Harlow @ 2004-03-03 17:54 UTC (permalink / raw)
To: netfilter
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
> Sent: Wednesday, March 03, 2004 10:25 AM
> To: netfilter@lists.netfilter.org
> Subject: Re: Allowing FTP and internal but nothing else
>
>
> On Wednesday 03 March 2004 5:18 pm, David Cannings wrote:
>
> > I am no guru but here is my 2c.
> >
> > > iptables -I INPUT -i eth0 -j ACCEPT
> >
> > This would accept any packet coming in on eth0, this is
> fine as long
> > as you didn't want to be more restrictive about this interface.
> >
> > > iptables -I INPUT -i eth1 -d port 21 -j ACCEPT
> > > iptables -I INPUT -i eth1 -d port 20 -j ACCEPT
> >
> > Both should be "--dport", "-d" is destination, for hosts.
> You'd use
> > -d like this:
> >
> > iptables -I INPUT -d 192.168.0.1 -j ACCEPT
> >
> > Your rule above could be rewritten as:
> >
> > iptables -I INPUT -i eth1 --dport 21 -j ACCEPT
>
> If you want to specify a port, you must first specify a
> protocol. Only TCP
> and UDP use port numbers, therefore the protocol must be one of these.
>
> FTP uses TCP, so what you actually want to specify is:
>
> iptables -I INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
>
> > For FTP, you might like to look into the FTP connection tracking
> > helpers. Also, you may well need rules to allow established
> or related
> > packets.
>
> I agree.
>
> Regards,
>
> Antony.
>
> --
Thanks gentlemen, I appreciate it.
For now I just want to be able to establish FTP traffic and deny
everything else. My syntax is a throw over from Cisco I'm sure. :)
I've noticed that I had to rearrange the lines as they get entered
somewhat backward from what I am used to. This is what eventually
worked:
iptables -I INPUT -i eth0 -j ACCEPT
iptables -I INPUT -i eth1 -j DROP
iptables -I INPUT -i eth1 -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 20 -j ACCEPT
Admittedly this far I have only established connections and not pulled
anything.
I will look into the connection tracking helpers but other than to
simply keep an eye on FTP connections what does the "helpers" part do?
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-03-03 17:54 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-03 16:55 Allowing FTP and internal but nothing else Paul Harlow
2004-03-03 17:18 ` David Cannings
2004-03-03 17:24 ` Antony Stone
2004-03-03 17:20 ` Cedric Blancher
-- strict thread matches above, loose matches on Subject: below --
2004-03-03 17:54 Paul Harlow
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.