Thanks for the link. However, I already understand fully how the different FTP modes work. My problem lies with the iptables configuration required to implement this. I've tried using the RELATED rule below, but this doesn't seem to work.
Do you know of any articles which detail how to allow incoming FTP connections, as opposed to allowing outgoing connections? Alternatively, can you see any problems with my original configuration. Thanks, Matt > -----Original Message----- > From: Joffer [mailto:[EMAIL PROTECTED]] > Sent: 12 March 2002 8:20 PM > To: Matt Cooling; [EMAIL PROTECTED] > Subject: Re: FTP server firewall rules > > > for somehow this msg just wouldn't add '>' to the text so > I'll be answering here instead, so I won't confuse myself or you ppl. > > I considder Active FTP a security threat, since it involves > opening tcp port 20 inbound on the firewall, since the > ftp-server is initiating the connection for the ftp-data. > > I recommend you read this document about Active FTP Vs > Passive FTP, and use Passive FTP. > http://www.slacksite.com/other/ftp.html > > If you trail that document opening (and closing everything > else) you should fix it just fine. > > /Christopher Thorjussen > > > ----- Original Message ----- > From: "Matt Cooling" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, March 12, 2002 5:23 PM > Subject: FTP server firewall rules > > > I'm running a webserver, which I have secured with iptables > as follows: > > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT tcp -- <internal gateway> anywhere > tcp dpt:ssh > ACCEPT tcp -- anywhere anywhere > tcp dpt:http > ACCEPT udp -- <dns server> anywhere udp > spt:domain > > I now want to give FTP access to specific IP addresses for > uploading content. I started using the following rules: > > iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j > ACCEPT iptables -A INPUT -p tcp -s <ftp client> --dport > ftp-data -j ACCEPT > > which allows ACTIVE FTP to work properly. However, I also > want to allow PASSIVE FTP, which I assumed would require the > following rule: > > iptables -A INPUT -p tcp -s <ftp client> -m state --state > RELATED -j ACCEPT > > Unfortunately this doesn't seem to work. I've checked that > the module is > loaded: > > [root@testbox root]# cat /proc/modules > ip_conntrack_ftp 4096 0 (unused) > ipt_state 1152 1 (autoclean) > ip_conntrack 17068 2 (autoclean) [ip_conntrack_ftp > ipt_state] > ... > iptable_filter 2272 0 (autoclean) (unused) > ip_tables 11424 2 [ipt_state iptable_filter] > ... > > I've reviewed some articles on the Intenet; however, these > are generally oriented to protecting a box. Have I missed > something basic, or should this work? > > Thanks in advance, > > Matt > > > > > >
