[Gllug] ftp / iptables
Lee Blackwell
lee_blackwell at eur.3com.com
Mon Oct 29 09:50:28 UTC 2001
Just a quick thought.. Is the FTP process trying to get a reverse lookup
on the IP address thats connecting? A lot of FTP servers do.
Lee
--
Lee Blackwell
Unix Specialist, NCS, 3com IT.
"I'll believe in skepticism when I see it."
On Mon, 29 Oct 2001, Paul Brazier wrote:
>
> I'm having problems setting up an iptables firewall for a standalone
> http/https/ftp/ssh server.
> All the services work OK except for ftp. I know I can use scp but I need
> to allow for ftp clients as well.
>
> I've seen a lot on the web about problems with ftp clients through a
> firewall but less about servers.
> I'm using proftpd (from list recommendation) and testing iptables on two
> local machines.
>
> What happens is I ftp from one machine, it says "Connected to machine2",
> then pauses for about 20-30 seconds.
> (without the firewall it's instant) Then I get prompted for
> name/password which goes OK and I get an "ftp>" prompt. But if I do "ls"
> or something it thinks for about a minute and then times out.
>
> I understand ftp operates in active or passive mode (the proftp client
> seems to go to passive always but I need to allow either). Also that it
> opens another connection at a random high port for the data transfer.
>
> I thought that iptables allowed for this by tracking connections that
> are established or related to the initial ftp connection on port 21 (and
> 20?)?
>
> Do I need to restrict OUPUT packets as well for a standalone server or
> can this just be open?
>
> My basic firewall script as it stand now is :
>
> #!/bin/sh
>
> IPTABLES=/sbin/iptables
>
> # Flush existing rules
> $IPTABLES -F
> $IPTABLES -X
> $IPTABLES -Z
>
> # Set default policies
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
>
> # Accept all pings via the ethernet port
> $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
>
> # Accept all ftp requests via ethernet
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p tcp --sport 1024: --dport 1024: -m state
> --state ESTABLISHED,RELATED -j ACCEPT
>
> #Accept all ssh requests via ethernet
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
>
> # Accept all http requests via ethernet
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
>
> # Accept all inputs to and outputs from localhost
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
> --
> Paul Brazier
> Cosmos UK
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the originator.
>
> This footnote also confirms that this email message has been checked
> for the presence of computer viruses.
>
> **********************************************************************
>
>
> --
> Gllug mailing list - Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
>
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list