|
Howdy, Thanks in advance for reading this, if this is a common issue, I apologize
– but could you point me to a searchable archive so I don’t bug this list with
previously asked questions? Anyways – here goes … I’ve got rules for FTP inbound/outbound for both PORT and PASV
connections. I’m also running
MySQL, which defaults to port 3306. If FTP PASV rules are enabled, either as a server or client, it seems
all my high ports are open to be connected to. I’ve tried enforcing state, but I end up either breaking the
rule so that FTP doesn’t work, or I end up opening the high-ports again. Is there a way to fix this by developing a better rule? Or should I
limit my PASV ports to a range that does not overlap with other services? Here are the related rules … (the PASV rules are commented out) # # General rules # modprobe ip_tables modprobe ip_conntrack modprobe ip_conntrack_ftp ################################################################# # Kernel configuration section and cleansing of the filter, nat,# # and mangle tables
# ################################################################# echo -n $"clearing old rules from tables:" $IPTABLES -F && \ $IPTABLES -t filter -F INPUT && \ $IPTABLES -t filter -F FORWARD && \ # commands to zero chain counters - needed on restart $IPTABLES -X $IPTABLES -t filter -Z && \ success $"clearing old rules from tables" || \ failure $"clearing old rules from tables" echo # set all filtering to DROP as default echo -n $"setting default rules to DROP: " # used to be IPTABLES -t filter -P ... $IPTABLES -P INPUT DROP && \ $IPTABLES -P FORWARD DROP && \ $IPTABLES -P OUTPUT DROP
&& \ success $"setting default rules to DROP" || \ failure $"setting default rules to DROP" echo # # FTP RULES # if [[ $FTP_client == 1 ]] ; then echo -n $"adding
FTP client rules: " # Outgoing Request $IPTABLES -A INPUT -i
$IFACE -p tcp \
-s any/0 --sport 21 \
-d $LOCAL_IP --dport 1024: \ -m
state --state ESTABLISHED \
-j ACCEPT &&\ $IPTABLES -A OUTPUT -o
$IFACE -p tcp \
-s $LOCAL_IP --sport 1024: \
-d any/0 --dport 21 \
-m state --state NEW,ESTABLISHED \
-j ACCEPT &&\ # PORT FTP Connections $IPTABLES -A INPUT -i
$IFACE -p tcp \
-s any/0 --sport 20 \
-d $LOCAL_IP --dport 1024: \
-m state --state ESTABLISHED,RELATED \
-j ACCEPT &&\ $IPTABLES -A OUTPUT -o
$IFACE -p tcp \
-s $LOCAL_IP --sport 1024: \
-d any/0 --dport 20 \
-m state --state ESTABLISHED \
-j ACCEPT &&\ # PASV FTP Connections #
$IPTABLES -A INPUT -i $IFACE -p tcp \ #
-s any/0 --sport 1024: \ #
-d $LOCAL_IP --dport 1024: \ #
-m state --state ESTABLISHED \ #
-j ACCEPT &&\ #
$IPTABLES -A OUTPUT -o $IFACE -p tcp \ #
-s $LOCAL_IP --sport 1024: \ #
-d any/0 --dport 1024: \ #
-m state --state ESTABLISHED,RELATED \ #
-j ACCEPT &&\ success $"adding
FTP client rules" || \ failure $"adding
FTP client rules" echo fi Thanks again, James |
