[Gllug] ftp / iptables

gllug at uncertainty.org.uk gllug at uncertainty.org.uk
Tue Oct 30 11:58:32 UTC 2001 

On Tue, Oct 30, 2001 at 11:12:06AM -0000, Paul Brazier wrote:
> > have you done 
> > insmod ip_conntrack_ftp 
> > or otherwise made sure your kernel can do ftp connection tracking ?
> 
> I'm testing this on a Mandrake 8.0 box which I think has all the
> iptables/netfilter modules automatically installed.
> I think it normally complains if the modules aren't present when you
> create the rules but I'll double-check this.
>  

normally you do get notified if you try to do something without the
required mode ... BUT i /think/ that it doesn't quite work that way in
this case

AIUI ftp conntrack adds ftp connections to the list of RELATED, if you
don't have ftp-contrack inserted there is no error but ftp connections
don't appear in the related table.

I could well be wrong about the above ...

anyway `lsmod | grep ftp` should tell you if the module is currently
inserted

> > I do this similarly (accept all established/related - and new
> > connections to the specific service)
> > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A block -m state --state NEW -i ppp0  -p TCP \
> > --dport ftp -j ACCEPT
> > 
> > adding a log entry can help see what is happening - moving it 
> > around in
> > the script (or having sveral entries can help too)
> > 
> > iptables -A block -j LOG --log-prefix " some-prefix "
> 
> I'll look into this logging more closely I think.
> 

the logging options in iptables seem very powerful - I think you asked
in another post why you should use a firewall, and the logging is one
reason.

Some people believe that the services should all be locked down to the
point where you don't need a firewall - others use a firewall, run all
services fully patched from inside chroot evironments, some use
firewalls and no other security - it's really up to you.

Personally I run a firewall and try to keep all services fairly secure.
The iptables gives me an easy way to controll access based on source ip
which is handy for me. I also log attempts to connect to me - from this
I have been able to watch the rise and fall of code red and other worms
- even though I don't run a webserver.

Also I can experiment with things - run mysql with no root password !
trusting in the firewall to keep me secure.

-- 

Sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20011030/ced5ec45/attachment.pgp>

More information about the GLLUG mailing list