Hey there,
You might want to look at using the stateful mode of the firewall ... so it
would look something like this ... you can add interfaces and destination IP's
if you like.
iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
You can then use the "RELATED" state to allow traffic for port 20 instead of
creating new rules to specfically allow this.
Cheers
Mark
-----Original Message-----
From: Jari IT [mailto:jari_info@yahoo.uk.co]
Sent: 25 September 2004 05:55
To: security-basics@securityfocus.com
Subject: WuFTP server with Iptables.
Hi all,
I am setting a FTP server with Iptable firewall.
Here is the rule, which I get from www.openna.com.
# incoming request
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 21 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port 21 \
--destination-port $UNPRIVPORTS -j ACCEPT
# PORT MODE data channel responses
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR --source-port 20 \
--destination-port $UNPRIVPORTS -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port 20 -j ACCEPT
# PASSIVE MODE data channel responses
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp \
--source-port $UNPRIVPORTS \
-d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn \
-s $IPADDR --source-port $UNPRIVPORTS \
--destination-port $UNPRIVPORTS -j ACCEPT
However, I still cannot connect from my house (behind ADSL router/modem) to
that site.
Stop this firewall, the FTP server work well.
Please advice me about this.
Thanks in advance,
Jari
**********************************************************************
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. It may not be used or disclosed except for the
purpose for which it has been sent. If you have received this
e-mail in error please notify the system administrator
postmaster@bluesq.com quoting the senders address. If you are not the
intended recipient you must not use, disclose, distribute, copy,
print or rely on this e-mail and must delete the message and any
documents. Please advise immediately if you or your employer
do not consent to Internet e-mail for messages of this kind.
Unless expressly stated, opinions in this message are those of
the individual sender and not of Blue Square. Blue Square
accepts no liability or responsibility for any onward transmission
or use of e-mails and attachment having left the Blue Square domain.
This footnote also confirms that this e-mail message has been swept
by MIMEsweeper for the presence of computer viruses. Whilst we
have taken reasonable precautions to ensure that this e-mail and
any attachments have been swept for viruses, we cannot accept
liability for any damage sustained as a result of software viruses and
would advise that you carry out your own virus checks before
opening any attachment.
www.bluesq.com
**********************************************************************
