iptables for ftp-server

robert mckennon Mon, 07 Mar 2011 14:13:46 -0800

Since I haven't played with iptables in a LONG time, I could use some
sage advise on this.....
I saw a couple of examples on the NET, and I kinda merged the 2 into
one script...



My WAN connection is Eth1 (173.165.202.120)
My LAN connection is Eth0 (10.11.248.75)

the ftp server's adx is 10.11.248.119

                      ____________
Internet--------->|  Eth1   Eth0 |------- > FTP-server
                      |___________|


The objectives:
1.  Just allow ftp traffic to the ftp server
2.  Only allow ssh connections from trusted networks


Does this look remotely correct?????

Rob.



# My system IP/set ip address of server
SERVER_IP="10.11.248.75"
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ssh
iptables -A INPUT -p tcp -s 10.11.248.0/24 -d $SERVER_IP --sport
513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 10.11.250.0/24 -d $SERVER_IP --sport
513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP -d 0/0 --sport 22 --dport
513:65535 -m state --state ESTABLISHED -j ACCEPT

# Allow NAT and forwarding of ftp requests
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119
--dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 21 -d 0/0 --dport
1024:65535 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119
--dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 20 -d 0/0 --dport
1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.11.248.119
--dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.11.248.119 --sport 1024:65535 -d 0/0
--dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT


# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

---------------------------------------------------------------------
Archive      http://marc.info/?l=jaxlug-list&r=1&w=2
RSS Feed     http://www.mail-archive.com/[email protected]/maillist.xml
Unsubscribe  [email protected]

iptables for ftp-server

Reply via email to