[Gllug] ftp / iptables

Paul Brazier pbrazier at cosmos-uk.co.uk
Mon Oct 29 09:27:54 UTC 2001


I'm having problems setting up an iptables firewall for a standalone
http/https/ftp/ssh server.
All the services work OK except for ftp. I know I can use scp but I need
to allow for ftp clients as well.

I've seen a lot on the web about problems with ftp clients through a
firewall but less about servers.
I'm using proftpd (from list recommendation) and testing iptables on two
local machines.

What happens is I ftp from one machine, it says "Connected to machine2",
then pauses for about 20-30 seconds.
(without the firewall it's instant) Then I get prompted for
name/password which goes OK and I get an "ftp>" prompt. But if I do "ls"
or something it thinks for about a minute and then times out.

I understand ftp operates in active or passive mode (the proftp client
seems to go to passive always but I need to allow either). Also that it
opens another connection at a random high port for the data transfer.

I thought that iptables allowed for this by tracking connections that
are established or related to the initial ftp connection on port 21 (and
20?)?

Do I need to restrict OUPUT packets as well for a standalone server or
can this just be open?

My basic firewall script as it stand now is :

#!/bin/sh

IPTABLES=/sbin/iptables

# Flush existing rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z

# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Accept all pings via the ethernet port
$IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT

# Accept all ftp requests via ethernet
$IPTABLES -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --sport 1024: --dport 1024: -m state
--state ESTABLISHED,RELATED -j ACCEPT

#Accept all ssh requests via ethernet
$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# Accept all http requests via ethernet
$IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT

# Accept all inputs to and outputs from localhost
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

--
Paul Brazier
Cosmos UK 


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the originator.

This footnote also confirms that this email message has been checked
for the presence of computer viruses.

**********************************************************************


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list