Is the FTP server on the iptables gateway box? In my case it is not and I have to DNAT in the prerouting chain, plus add a FORWARD rule to allow ftp to the LAN address of that actual server running FTP: iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 21 -j DNAT --to 192 .168.100.199 iptables -t nat -A PREROUTING -p tcp -d X.X.X.X --dport 20 -j DNAT --to 192 .168.100.199
iptables -A FORWARD -p tcp -d 192.168.100.199/32 --dport 21 -j ACCEPT iptables -A FORWARD -p tcp -d 192.168.100.199/32 --dport 20 -j ACCEPT And that allowed incoming active or passive FTP for my server. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Cooling > Sent: Wednesday, March 13, 2002 9:41 AM > To: [EMAIL PROTECTED] > Subject: RE: FTP server firewall rules > > > Thanks for the link. However, I already understand fully how > the different FTP modes work. My problem lies with the > iptables configuration required to implement this. I've tried > using the RELATED rule below, but this doesn't seem to work. > > Do you know of any articles which detail how to allow > incoming FTP connections, as opposed to allowing outgoing > connections? Alternatively, can you see any problems with my > original configuration. > > Thanks, > > Matt > > > > -----Original Message----- > > From: Joffer [mailto:[EMAIL PROTECTED]] > > Sent: 12 March 2002 8:20 PM > > To: Matt Cooling; [EMAIL PROTECTED] > > Subject: Re: FTP server firewall rules > > > > > > for somehow this msg just wouldn't add '>' to the text so > > I'll be answering here instead, so I won't confuse myself > or you ppl. > > > > I considder Active FTP a security threat, since it involves > > opening tcp port 20 inbound on the firewall, since the > > ftp-server is initiating the connection for the ftp-data. > > > > I recommend you read this document about Active FTP Vs > > Passive FTP, and use Passive FTP. > > http://www.slacksite.com/other/ftp.html > > > > If you trail that document opening (and closing everything > > else) you should fix it just fine. > > > > /Christopher Thorjussen > > > > > > ----- Original Message ----- > > From: "Matt Cooling" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Tuesday, March 12, 2002 5:23 PM > > Subject: FTP server firewall rules > > > > > > I'm running a webserver, which I have secured with iptables > > as follows: > > > > Chain INPUT (policy DROP) > > target prot opt source destination > > ACCEPT tcp -- <internal gateway> anywhere > > tcp dpt:ssh > > ACCEPT tcp -- anywhere anywhere > > tcp dpt:http > > ACCEPT udp -- <dns server> anywhere udp > > spt:domain > > > > I now want to give FTP access to specific IP addresses for > > uploading content. I started using the following rules: > > > > iptables -A INPUT -p tcp -s <ftp client> --dport ftp -j > > ACCEPT iptables -A INPUT -p tcp -s <ftp client> --dport > > ftp-data -j ACCEPT > > > > which allows ACTIVE FTP to work properly. However, I also > > want to allow PASSIVE FTP, which I assumed would require the > > following rule: > > > > iptables -A INPUT -p tcp -s <ftp client> -m state --state > > RELATED -j ACCEPT > > > > Unfortunately this doesn't seem to work. I've checked that > > the module is > > loaded: > > > > [root@testbox root]# cat /proc/modules > > ip_conntrack_ftp 4096 0 (unused) > > ipt_state 1152 1 (autoclean) > > ip_conntrack 17068 2 (autoclean) [ip_conntrack_ftp > > ipt_state] > > ... > > iptable_filter 2272 0 (autoclean) (unused) > > ip_tables 11424 2 [ipt_state iptable_filter] > > ... > > > > I've reviewed some articles on the Intenet; however, these > > are generally oriented to protecting a box. Have I missed > > something basic, or should this work? > > > > Thanks in advance, > > > > Matt > > > > > > > > > > > > >
