From: Richard <netfilter@ghz.fr>
To: Martijn Lievaart <m@rtij.nl>, netfilter@lists.netfilter.org
Subject: Re: IPtables settings to access a backup FTP
Date: Sat, 18 Aug 2007 22:25:18 +0200 [thread overview]
Message-ID: <46C755AE.4030804@ghz.fr> (raw)
In-Reply-To: <46C7539C.60002@rtij.nl>
Hi I've got ip_conntrack running,
My server hosts FTP accounts and I also need outgoing ftp ...
No problems accessing the ftp hosted on this server, but can't do a CWD
(ls) from this server to another external ftp server unless the firewall
is disactivated.
I guess you are going to say most of my settings are useless but here
goes my current settings :
-------------------------
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTAB
LISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
LOG_ACCEPT tcp -- anywhere anywhere tcp dpt:2022
LOG_ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:whois
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:8443
ACCEPT tcp -- anywhere anywhere tcp dpt:8880
ACCEPT tcp -- anywhere anywhere tcp dpt:42630
ACCEPT udp -- anywhere anywhere udp dpt:42630
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT all -- localhost.localdomain anywhere
icmp_packets icmp -- anywhere anywhere
LOG_DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
flags:S
YN,RST,ACK/SYN
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTAB
LISHED
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:2022
ACCEPT tcp -- anywhere anywhere tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:whois
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT udp -- anywhere anywhere udp dpt:ntp
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT all -- anywhere localhost.localdomain
icmp_packets icmp -- anywhere anywhere
LOG_DROP all -- anywhere anywhere
Chain LOG_ACCEPT (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning t
cp-options ip-options prefix `[IPTABLES ACCEPT] : '
ACCEPT all -- anywhere anywhere
Chain LOG_DROP (2 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level
warning t
cp-options ip-options prefix `[IPTABLES DROP] : '
DROP all -- anywhere anywhere
Chain icmp_packets (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg
1/sec bu
rst 1
LOG icmp -- anywhere anywhere limit: avg
1/sec bu
rst 1 LOG level warning prefix `PING-DROP: '
--------------
Thanks for any suggestions !
Richard
Martijn Lievaart a écrit :
> Richard wrote:
>> Hello, this is my first message so I hope I'm doing this right ! :)
>>
>> I've got iptables setup and running well on my server and up to now
>> I've not had any problems, however I have just installed a backup
>> system which needs to connect by FTP to a distant server.
>>
>> With my firewall disactivated all works fine, however with the
>> firewall activated when I use the "ls" command of the debian ftp
>> command line package (CWD) I get:
>>
>> 200 ok then a long wait then :
>> 421 Service not available, remote server has closed connection.
>>
>> I've tried this on two different FTP's and it only works if the
>> firewall is disactivated.
>>
>> One server is a plesk server but the server I need to connect to I do
>> not know much about, with filezilla on my pc I've managed to connect
>> to it with both FTP active and FTP passive so I guess it can do both.
>>
>> On my server I just do :
>>
>> ftp ftp.server.com
>> username
>> password
>>
>> So I'm not sure if it connects as passive or active.
>>
>> These are the ports that I have got open :
>>
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
>
> You don't need this (see below), but it is wrong anyhow. Active ftp uses
> SOURCE port 20, not destination port 20. Most guides on the inuhnet
> thingie get this wrong.
>
>> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
>
> Do you also want to accept FTP connections? You don't need this to make
> outgoing connections.
>
>>
>> -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
>
> This is nonsense.
>
>> -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
>
> This is the only rule you need to make outgoing FTP connections.
>
>>
>> Which ports do you suggest I should open to connect to this FTP server ?
>>
>
> It's not only about static ports. FTP uses dynamic ports as well that
> must be tracked by a helper. Modprobe nf_contrack_ftp (ip_contrack_ftp
> on older kernels) and all should be well.
>
> HTH,
> M4
>
next prev parent reply other threads:[~2007-08-18 20:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-18 19:08 IPtables settings to access a backup FTP Richard
2007-08-18 20:16 ` Martijn Lievaart
2007-08-18 20:25 ` Richard [this message]
2007-08-18 20:29 ` Martijn Lievaart
2007-08-18 22:36 ` Richard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46C755AE.4030804@ghz.fr \
--to=netfilter@ghz.fr \
--cc=m@rtij.nl \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.