Re: need help setting a rule for ftp

From: Marcus Lauer (reply@via.newsgroup)
Date: 03/25/03

From: Marcus Lauer <reply@via.newsgroup>
Date: Mon, 24 Mar 2003 21:36:06 -0800

MikeG wrote:

> I have a RedHat 7.2 server as my fulltime DSL internet gateway. It
> serves as my firewall, mail server, and web server.

     Not at the same time, I hope. :)

> So here is what I need. I want to turn on ftp, but only allow it from
> a source inside my network ( I'll use ssh remotely ). I'd like it so
> that port doesn't show as "on" from anyone on the outside.
> If anyone could help me out here, I'd really be appreciative.

     First off, remember that you can use ssh to ftp files as well (using
sftp, or scp). This might be a better choice, since you can avoid this
entire problem plus run one less daemon that way.

     As for actually answering your question... would the -i option do the
trick? Limit all packets to the ftp port to those coming from the ethernet
card which connects to your internal network. If eth0 connects to your
internal network, you'd do this (for iptables, though -i exists in iptables
and ipchains):

iptables -A INPUT -i eth0 --destination-port 21 -j ACCEPT
iptables -A OUTPUT -i eth0 --destination-port 21 -j ACCEPT
iptables -A INPUT -i eth0 --source-port 20 -j ACCEPT
iptables -A OUTPUT -i eth0 --source-port 20 -j ACCEPT

iptables -A INPUT --destination-port 21 -j DENY
iptables -A INPUT --source-port 20 -j DENY

     You can eliminate some of these rules depending on whether you're using
active or passive FTP, how strict your existing rules are, and whether
you're using iptables statefulness or not. You could potentially have just
one rule, allowing SYN packets to port 21 on eth0, if your other rules are
right. Other security enhancements like putting "-d gateway's_internal_ip"
in that first line would also be useful.


Relevant Pages

  • Re: IPTables F*&%-up part 2
    ... > # move forwarding to top and comment out the disable line ... > iptables -X ... > # wants you to place the openings for ports ... # pop3 server--are you running a mail server for everyone? ...
  • RE: Physical vs. Virtual iface device vulnerability
    ... anyone who compromises your mail server gets complete ... With resolution A, they get only SQL ... > outside my internal network with its own firewall in place. ... > server an internal ip address and set up connection to MySQL ...
  • Re: Mail server security - best practices?
    ... The mail server in the DMZ does not need to have access to port 25 on ... As a stateful firewall, pf can be ... Is it because email is "quantified" when moved to the internal network? ...
  • RE: iptables help
    ... Since this is also our mail server, is there any way to reject spam ... > I tried to customize and set up firewall using iptables on Red Hat ... For example, the default chain INPUT, OUTPUT and FORWARD ... > But nothing take effection after iptables got restarted. ...
  • Re: my smtp server is very slow to accept connections today
    ... Check iptables, if turned on then stop it and test if problem fixed then I would guess at "Ident port 113" add it to iptables. ... My FC5 box runs a mail server. ... Check that your nsswitch.conf has an appropriate hosts entry. ...