Help!

working ftp-rules with iptables

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Firewall RSS
Next:  BAndwidth  
Author Message
Lutz Feldgen
External


Since: May 08, 2007
Posts: 2
PostPosted: Tue May 08, 2007 8:10 am    Post subject: working ftp-rules with iptables
Archived from groups: linux>debian>maint>firewall (more info?)
Hi,

I try to get the following working with iptables:

incoming ftp (passive or active)
outgoing ftp (to single special ftp-server)
apt-get

Can anybody help me with this, its driving me mad...

regards,
Lutz


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.TakeThisOut@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.TakeThisOut@lists.debian.org
Back to top
Lutz Feldgen
External


Since: May 08, 2007
Posts: 2
PostPosted: Tue May 08, 2007 1:40 pm    Post subject: Re: working ftp-rules with iptables [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Tue, May 08, 2007 at 07:47:48AM +0200, Lutz Feldgen wrote:
>> Hi,
>>
>
> Hi,
>
>
>> I try to get the following working with iptables:
>>
>> incoming ftp (passive or active)
>> outgoing ftp (to single special ftp-server)
>> apt-get
>>
>> Can anybody help me with this, its driving me mad...
>>
>
> First of all, what do you really want ? Running a ftp server on your own
> computer or being able to access external ftp server, or perhaps both.
>
> Have a look at those two pictures in order to see the differences between
> active and passive mode (french link but it does not matter) :
>
> http://smhteam.info/wiki/index.linux.php5?wiki=DiagrammesFtp
>
> What rules have you tried to run by now ?
>
Hi,
thanks for the quick answer and sorry for the incomplete description.
Right now I cannot fetch the used ruleset from the server but my
intention is to keep it as secure for my server as possible.
I want to run an ftp-server to give the possibility to upload something
but also need access to an external ftp-server for backups. At least
apt-get should find a way to fetch packets through the firewall. The
decision whether to run active or passive on my own ftp-server depends
on the security level of the underlying ruleset.

regards,
Lutz


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST DeleteThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster DeleteThis @lists.debian.org
Back to top
robert buchinger
External


Since: May 08, 2007
Posts: 1
PostPosted: Tue May 08, 2007 2:40 pm    Post subject: Re: working ftp-rules with iptables [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Am Dienstag, 8. Mai 2007 schrieb Franck Joncourt:
> On Tue, May 08, 2007 at 01:14:18PM +0200, Lutz Feldgen wrote:
> > On Tue, May 08, 2007 at 07:47:48AM +0200, Lutz Feldgen wrote:
> > >>I try to get the following working with iptables:
> > >>
> > >>incoming ftp (passive or active)
> > >>outgoing ftp (to single special ftp-server)
> > >>apt-get
> > >>
> > >>Can anybody help me with this, its driving me mad...
> > >
> > >First of all, what do you really want ? Running a ftp server on your own
> > >computer or being able to access external ftp server, or perhaps both.
> > >
> > >Have a look at those two pictures in order to see the differences
> > > between active and passive mode (french link but it does not matter) :
> > >
> > >http://smhteam.info/wiki/index.linux.php5?wiki=DiagrammesFtp
> > >
> > >What rules have you tried to run by now ?
> >
> > thanks for the quick answer and sorry for the incomplete description.
> > Right now I cannot fetch the used ruleset from the server but my
> > intention is to keep it as secure for my server as possible.
> > I want to run an ftp-server to give the possibility to upload something
> > but also need access to an external ftp-server for backups. At least
> > apt-get should find a way to fetch packets through the firewall. The
> > decision whether to run active or passive on my own ftp-server depends
> > on the security level of the underlying ruleset.
>
> About your ftp-server, I would choose passive mode as you do not
> initiate data connexion, the client do it on an unprivileged port.
>
> Anyway here is some piece of code (just an example):
>
> I assume your default policy is DROP for INPUT and OUTPUT chains.
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> # Deal with your own ftp server
> You have to allow NEW incoming connexions from the client on port 21:
> iptables -A INPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
>
> # Deal with external ftp servers
> About apt you have to allow outgoing connexions to the external servers
> on port 21
> iptables -A OUTPUT -p tcp --syn --dport 21 -m state --state NEW -j ACCEPT
>
> And do not forget to make sure ip_conntrack_ftp module is loaded.
>
> It should work ! I did not give it a try.
>
> Once it works, you can start thinking about security.

maybe you should add --dest <serveraddress> to the output rules to access only
the wanted ftp server(s)

for apt-get you can use ftp or http so it should work as easy as the rest


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.RemoveThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.RemoveThis@lists.debian.org
Back to top
Bernd Eckenfels
External


Since: Apr 18, 2004
Posts: 4
PostPosted: Wed May 09, 2007 3:50 am    Post subject: Re: working ftp-rules with iptables [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Tue, May 08, 2007 at 02:11:33PM +0200, Franck Joncourt wrote:
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

As a host based filter i would not use RELATED (and maybe not established)
at all. You should limit FTP-Servers Data-port bind range and allow that,
for the ftp user.

Limit ftp-bounce connections (no outgoing ftp data to a priveledged port)
and then you are fine.

Gruss
Bernd
--
(OO) -- Bernd_Eckenfels@Mörscher_Strasse_8.76185Karlsruhe.de --
( .. ) ecki@{inka.de,linux.de,debian.org} http://www.eckes.org/
o--o 1024D/E383CD7E eckes@IRCNet v:+497211603874 f:+49721151516129
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST.DeleteThis@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster.DeleteThis@lists.debian.org
Back to top
Gavin
External


Since: May 10, 2007
Posts: 1
PostPosted: Thu May 10, 2007 7:50 am    Post subject: Re: working ftp-rules with iptables [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Hi Lutz,

I see you've gone some ways to learning iptables which great and will
always help.
You could also use shorewall firewall which an easy to maintain set of
scripts
that will setup netfilter and iptables.

Cheers
Gavin

Lutz Feldgen wrote:
> Hi,
>
> I try to get the following working with iptables:
>
> incoming ftp (passive or active)
> outgoing ftp (to single special ftp-server)
> apt-get
>
> Can anybody help me with this, its driving me mad...
>
> regards,
> Lutz
>
>
>


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST RemoveThis @lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster RemoveThis @lists.debian.org
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Firewall All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum