Re: iptables and ftp

Mon, 30 Jun 2008 17:30:22 -0700

Be very skeptically of something you are unsure off, if something exists assume its insecure unless you know otherwise. When you say you want a 'secure' connection allowing only one IP to connect to you or for you to connect to (not sure which you want) then your connection is still vulnerable to ease dropping. If you want something secure then you need to look at other protocols such as ssh/sftp or ftp over ssl.
Also whilst ansgars config will do what he thinks you are trying to achive if you were to use them verbatim your machine wouldn't even be able to make dns requests. 


If you want to allow only outgoing ftp connections to a specific IP i 
would suggest


iptables -A OUTPUT -p tcp --dport 21 -d ! 212.74.114.60 -j DROP


Ansgar -59cobalt- Wiechers wrote:

On 2008-06-30 Sathyainkara Balendra wrote:

  

I have following settings, but i dont get a ftp connection.

#FTP-TABLE incomplete

##################################################################
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

##################################################################

#if following line is set it works, but i want a secure connection
#only too that server
#-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


#Allow Ftp
-N USER_FTP
-A INPUT -p tcp -m tcp --dport 1:65000 --syn -j USER_FTP
-A USER_FTP -s 212.74.114.60/21 -j ACCEPT
-A USER_FTP -s 212.74.114.60/20 -j ACCEPT

    


If I'm interpreting your ruleset correctly, you want to allow outbound
FTP to just one particular FTP server. You got your notation wrong
there, BTW. The part after the slash in the argument of the -s option is
a netmask, not a port. You specify ports with the --sport option.

----8<----
# NOTE: This rule snippet doesn't take care of anything else than FTP!
#       You'll need rules for DNS and whatever else you want to allow in
#       addition to this.

modprobe ip_conntrack_ftp

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -d 212.74.114.60 --dport 21 \
  -m state --state NEW -j ACCEPT
---->8----

If you want to do yourself a favor: learn how FTP works before trying to
handle FTP connections.

http://slacksite.com/other/ftp.html

Regards
Ansgar Wiechers

  



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]























					Reply via email to