#1  
Old 17th June 2006, 11:10
flourishing flourishing is offline
Member
 
Join Date: Nov 2005
Posts: 50
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via MSN to flourishing
Post iptables rules for ftp

Quote:
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW,ESTABLISHED,RELATED -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
the rules not red is the orginal rules only accept 22 ssh . and i want it allow ftp server can access by ie or ftp client. how should the rules be ?
the red rules is I added ,but it doesn't work .

thanks for help .
Reply With Quote
Sponsored Links
  #2  
Old 18th June 2006, 03:45
brianaustin brianaustin is offline
Junior Member
 
Join Date: Jun 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default try this

-A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 20 -j ACCEPT

also
-A RH-Firewall-1-INPUT -j LOG (I think thats the syntax)

and look at syslog to see whats happening when you ftp

also you may need some --sport 20,21 rules

b
Reply With Quote
  #3  
Old 18th June 2006, 13:57
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Which distribution do you use?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #4  
Old 10th April 2008, 03:02
dealspiggy dealspiggy is offline
Member
 
Join Date: Mar 2008
Posts: 34
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I'm using centOS 5.1

thanks
Reply With Quote
  #5  
Old 14th April 2008, 17:30
NixerX NixerX is offline
Junior Member
 
Join Date: Apr 2008
Posts: 5
Thanks: 2
Thanked 0 Times in 0 Posts
Default

Do you need to /sbin/modprobe ip_conntrack_ftp ?
Reply With Quote
  #6  
Old 14th April 2008, 21:18
topdog topdog is offline
Senior Member
 
Join Date: Jan 2008
Location: South Africa
Posts: 1,352
Thanks: 0
Thanked 153 Times in 150 Posts
 
Default

Due to the nature of the FTP protocol yes you need connection tracking so the module needs to be loaded to make it permanent add the module to

/etc/sysconfig/iptables-config
__________________
----
http://www.topdog.za.net - Got Linux problems ? - I can help.
http://www.baruwa.org - Try it.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables: Table does not exist (do you need to insmod?) cccc Installation/Configuration 6 23rd August 2007 10:13
The Perfect Xen 3.0 Setup For Debian | IPTABLES rocket30 HOWTO-Related Questions 7 25th July 2006 14:18
IPTables and outside machines Bodger Installation/Configuration 3 9th May 2006 22:58
Drupal and Apache Rewrite Rules andre Server Operation 10 4th May 2006 21:04
iptables -F and nothing works anymore tom Technical 4 30th April 2006 00:52


All times are GMT +2. The time now is 14:24.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.