Re: need help setting a rule for ftp

From: Marcus Lauer (reply@via.newsgroup)
Date: 03/25/03


From: Marcus Lauer <reply@via.newsgroup>
Date: Mon, 24 Mar 2003 21:36:06 -0800

MikeG wrote:

> I have a RedHat 7.2 server as my fulltime DSL internet gateway. It
> serves as my firewall, mail server, and web server.

     Not at the same time, I hope. :)

> So here is what I need. I want to turn on ftp, but only allow it from
> a source inside my network ( I'll use ssh remotely ). I'd like it so
> that port doesn't show as "on" from anyone on the outside.
>
> If anyone could help me out here, I'd really be appreciative.

     First off, remember that you can use ssh to ftp files as well (using
sftp, or scp). This might be a better choice, since you can avoid this
entire problem plus run one less daemon that way.

     As for actually answering your question... would the -i option do the
trick? Limit all packets to the ftp port to those coming from the ethernet
card which connects to your internal network. If eth0 connects to your
internal network, you'd do this (for iptables, though -i exists in iptables
and ipchains):

iptables -A INPUT -i eth0 --destination-port 21 -j ACCEPT
iptables -A OUTPUT -i eth0 --destination-port 21 -j ACCEPT
iptables -A INPUT -i eth0 --source-port 20 -j ACCEPT
iptables -A OUTPUT -i eth0 --source-port 20 -j ACCEPT

iptables -A INPUT --destination-port 21 -j DENY
iptables -A INPUT --source-port 20 -j DENY

     You can eliminate some of these rules depending on whether you're using
active or passive FTP, how strict your existing rules are, and whether
you're using iptables statefulness or not. You could potentially have just
one rule, allowing SYN packets to port 21 on eth0, if your other rules are
right. Other security enhancements like putting "-d gateway's_internal_ip"
in that first line would also be useful.

                                       Marcus