Iptables, FTP and firewall
Bob George
plug-discuss@lists.plug.phoenix.az.us
Wed, 10 Jul 2002 19:41:15 -0700
"Howard Shaw" <howard@excelco.com> wrote:
> I'm setting up a port filtering firewall for an ftp server.. I'm
using
> iptables. What ports beside 21 do I need to allow connections to for
> this to work?
If you're going to do this, be sure use connection-tracking (stateful)
features provided with iptables! As Robert Bushman noted, you need to
allow access from the server to port 20 on the outside world. However,
if you only use basic filtering to allow all traffic _between_ the
server and port 20 on outside systems, it is TRIVIAL to manipulate
traffic to come from that port through the filter to the inside server.
iptables with ip_conntrack and ip_conntrack_ftp can provide the desired
protection by only allowing such connections IF an FTP session has
actually been established, and only FROM the server TO the outside (not
just anything between the server and port 20 on the outside).
There are some good HOWTO documents on these features.
- Bob