Howdy,
Thanks in advance for reading this, if this is a common issue, I apologize ?
but could you point me to a searchable archive so I don?t bug this list with
previously asked questions?
Anyways ? here goes ?
I?ve got rules for FTP inbound/outbound for both PORT and PASV connections.
I?m also running MySQL, which defaults to port 3306.
If FTP PASV rules are enabled, either as a server or client, it seems all my
high ports are open to be connected to. I?ve tried enforcing state, but I
end up either breaking the rule so that FTP doesn?t work, or I end up
opening the high-ports again.
Is there a way to fix this by developing a better rule? Or should I limit my
PASV ports to a range that does not overlap with other services?
Here are the related rules ? (the PASV rules are commented out)
#
# General rules
#
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#################################################################
# Kernel configuration section and cleansing of the filter, nat,#
# and mangle tables #
#################################################################
echo -n $"clearing old rules from tables:"
$IPTABLES -F && \
$IPTABLES -t filter -F INPUT && \
$IPTABLES -t filter -F FORWARD && \
# commands to zero chain counters - needed on restart
$IPTABLES -X
$IPTABLES -t filter -Z && \
success $"clearing old rules from tables" || \
failure $"clearing old rules from tables"
echo
# set all filtering to DROP as default
echo -n $"setting default rules to DROP: "
# used to be IPTABLES -t filter -P ...
$IPTABLES -P INPUT DROP && \
$IPTABLES -P FORWARD DROP && \
$IPTABLES -P OUTPUT DROP && \
success $"setting default rules to DROP" || \
failure $"setting default rules to DROP"
echo
#
# FTP RULES
#
if [[ $FTP_client == 1 ]] ; then
echo -n $"adding FTP client rules: "
# Outgoing Request
$IPTABLES -A INPUT -i $IFACE -p tcp \
-s any/0 --sport 21 \
-d $LOCAL_IP --dport 1024: \
-m state --state ESTABLISHED \
-j ACCEPT &&\
$IPTABLES -A OUTPUT -o $IFACE -p tcp \
-s $LOCAL_IP --sport 1024: \
-d any/0 --dport 21 \
-m state --state NEW,ESTABLISHED \
-j ACCEPT &&\
# PORT FTP Connections
$IPTABLES -A INPUT -i $IFACE -p tcp \
-s any/0 --sport 20 \
-d $LOCAL_IP --dport 1024: \
-m state --state ESTABLISHED,RELATED \
-j ACCEPT &&\
$IPTABLES -A OUTPUT -o $IFACE -p tcp \
-s $LOCAL_IP --sport 1024: \
-d any/0 --dport 20 \
-m state --state ESTABLISHED \
-j ACCEPT &&\
# PASV FTP Connections
# $IPTABLES -A INPUT -i $IFACE -p tcp \
# -s any/0 --sport 1024: \
# -d $LOCAL_IP --dport 1024: \
# -m state --state ESTABLISHED \
# -j ACCEPT &&\
# $IPTABLES -A OUTPUT -o $IFACE -p tcp \
# -s $LOCAL_IP --sport 1024: \
# -d any/0 --dport 1024: \
# -m state --state ESTABLISHED,RELATED \
# -j ACCEPT &&\
success $"adding FTP client rules" || \
failure $"adding FTP client rules"
echo
fi
Thanks again,
James
