Re: Firewall ( iptables ) enabled for ftp ( active mode & passive mode ) problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Edward. S. P. Leong wrote:
> Dear All,
> 
> Mine is FC11 OS...
> So, how can we enable the firewall ( iptables ) for using ftp ( active
> mode & passive mode ) service ?
> 
The easiest way is to enable it using the firewall configuration GUI.

If you insist on writing your own, use the LOG target to track what's happening, 
or catch the packets to/from the ftp ports with tcpdump, write them to a file, 
and inspect with wireshark (or just tcpdump). You probably want some LOG entries 
in the tables, and may want a debug syslog log file defined to keep all your info.

> For the existing setting :
> iptables -F
> iptables -X
> iptables -F -t nat
> iptables -X -t nat
> iptables -F -t mangle
> iptables -X -t mangle
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t mangle -P PREROUTING ACCEPT
> iptables -t mangle -P POSTROUTING ACCEPT
> iptables -t mangle -P INPUT ACCEPT
> iptables -t mangle -P OUTPUT ACCEPT
> iptables -t mangle -P FORWARD ACCEPT
> 
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> int="eth1"
> int_add="192.168.1.254"
> int_src="192.168.1.0/24"
> # Only allow users to use port 22 ( ssh services ) :
> iptables -A INPUT -i $int -p tcp --dport 22 -s $int_src -d $int_add -j
> ACCEPT
> # Only allow users to use port 20 & 21 ( ftp services ) :
> iptables -A INPUT -i $int -p tcp --dport 20 -s $int_src -d $int_add -j
> ACCEPT
> iptables -A INPUT -i $int -p tcp --dport 21 -s $int_src -d $int_add -j
> ACCEPT
> # ping ( ICMP )
> iptables -A INPUT -i $int -p icmp --icmp-type echo-request -s $int_src
> -d $int_add -j ACCEPT
> 
> Problem of ftp client :
> connection timenout
> 
> Thanks !
> 
> Edward.


-- 
Bill Davidsen <davidsen@xxxxxxx>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux