On Tue, May 08, 2007 at 01:14:18PM +0200, Lutz Feldgen wrote: > On Tue, May 08, 2007 at 07:47:48AM +0200, Lutz Feldgen wrote: > > > >>I try to get the following working with iptables: > >> > >>incoming ftp (passive or active) > >>outgoing ftp (to single special ftp-server) > >>apt-get > >> > >>Can anybody help me with this, its driving me mad... > >> > > > >First of all, what do you really want ? Running a ftp server on your own > >computer or being able to access external ftp server, or perhaps both. > > > >Have a look at those two pictures in order to see the differences between > >active and passive mode (french link but it does not matter) : > > > >http://smhteam.info/wiki/index.linux.php5?wiki=DiagrammesFtp > > > >What rules have you tried to run by now ? > > > > thanks for the quick answer and sorry for the incomplete description. > Right now I cannot fetch the used ruleset from the server but my > intention is to keep it as secure for my server as possible. > I want to run an ftp-server to give the possibility to upload something > but also need access to an external ftp-server for backups. At least > apt-get should find a way to fetch packets through the firewall. The > decision whether to run active or passive on my own ftp-server depends > on the security level of the underlying ruleset. >
About your ftp-server, I would choose passive mode as you do not initiate data connexion, the client do it on an unprivileged port. Anyway here is some piece of code (just an example): I assume your default policy is DROP for INPUT and OUTPUT chains. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Deal with your own ftp server You have to allow NEW incoming connexions from the client on port 21: iptables -A INPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT # Deal with external ftp servers About apt you have to allow outgoing connexions to the external servers on port 21 iptables -A OUTPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT And do not forget to make sure ip_conntrack_ftp module is loaded. It should work ! I did not give it a try. Once it works, you can start thinking about security. -- Franck Joncourt http://www.debian.org http://smhteam.info/wiki/ GPG server : pgpkeys.mit.edu Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
signature.asc
Description: Digital signature