[Gllug] ftp / iptables
gllug at uncertainty.org.uk
gllug at uncertainty.org.uk
Mon Oct 29 20:42:30 UTC 2001
On Mon, Oct 29, 2001 at 09:27:54AM -0000, Paul Brazier wrote:
>
> My basic firewall script as it stand now is :
>
> #!/bin/sh
>
> IPTABLES=/sbin/iptables
>
> # Flush existing rules
> $IPTABLES -F
> $IPTABLES -X
> $IPTABLES -Z
>
> # Set default policies
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
>
> # Accept all pings via the ethernet port
> $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
>
> # Accept all ftp requests via ethernet
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 20 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p tcp --sport 1024: --dport 1024: -m state
> --state ESTABLISHED,RELATED -j ACCEPT
have you done
insmod ip_conntrack_ftp
or otherwise made sure your kernel can do ftp connection tracking ?
I do this similarly (accept all established/related - and new
connections to the specific service)
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ppp0 -p TCP \
--dport ftp -j ACCEPT
adding a log entry can help see what is happening - moving it around in
the script (or having sveral entries can help too)
iptables -A block -j LOG --log-prefix " some-prefix "
--
Sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20011029/ff6667d9/attachment.pgp>
More information about the GLLUG
mailing list