Re: Firewall ( iptables ) enabled for ftp ( active mode & passive mode ) problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Edward. S. P. Leong wrote:
> Dear All,
> 
> Mine is FC11 OS...
> So, how can we enable the firewall ( iptables ) for using ftp ( active
> mode & passive mode ) service ?
> 
The easiest way is to enable it using the firewall configuration GUI.

If you insist on writing your own, use the LOG target to track what's happening, 
or catch the packets to/from the ftp ports with tcpdump, write them to a file, 
and inspect with wireshark (or just tcpdump). You probably want some LOG entries 
in the tables, and may want a debug syslog log file defined to keep all your info.

> For the existing setting :
> iptables -F
> iptables -X
> iptables -F -t nat
> iptables -X -t nat
> iptables -F -t mangle
> iptables -X -t mangle
> 
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t mangle -P PREROUTING ACCEPT
> iptables -t mangle -P POSTROUTING ACCEPT
> iptables -t mangle -P INPUT ACCEPT
> iptables -t mangle -P OUTPUT ACCEPT
> iptables -t mangle -P FORWARD ACCEPT
> 
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> int="eth1"
> int_add="192.168.1.254"
> int_src="192.168.1.0/24"
> # Only allow users to use port 22 ( ssh services ) :
> iptables -A INPUT -i $int -p tcp --dport 22 -s $int_src -d $int_add -j
> ACCEPT
> # Only allow users to use port 20 & 21 ( ftp services ) :
> iptables -A INPUT -i $int -p tcp --dport 20 -s $int_src -d $int_add -j
> ACCEPT
> iptables -A INPUT -i $int -p tcp --dport 21 -s $int_src -d $int_add -j
> ACCEPT
> # ping ( ICMP )
> iptables -A INPUT -i $int -p icmp --icmp-type echo-request -s $int_src
> -d $int_add -j ACCEPT
> 
> Problem of ftp client :
> connection timenout
> 
> Thanks !
> 
> Edward.


-- 
Bill Davidsen <davidsen@xxxxxxx>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux