[Techtalk] ipchains and ftp
Conor Daly
conor.daly at oceanfree.net
Sat Jun 16 09:17:46 EST 2001
On Sat, Jun 16, 2001 at 01:04:36AM -0400 or so it is rumoured hereabouts,
kath thought:
> I have a strong ipchains firewall w/ a default policy of deny (of course).
>
> However, since I did it, I can't ftp out from any machine inside the network or even the firewall itself.
>
> What rules do I specificly need? I have ip_masq_ftp running.
>
> Thanks!
>
> kath
Here's my relevant ruleset
/sbin/modprobe ip_masq_ftp
# ------------------------------------------------------------------
# FTP client (21)"
# ---------------
# outgoing request
/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -s $IPADDR $UNPRIVPORTS --destination-port 21 -j ACCEPT
# PORT mode data channel"
/sbin/ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --source-port 20 -d $IPADDR $UNPRIVPORTS -j ACCEPT
/sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR $UNPRIVPORTS --destination-port 20 -j ACCEPT
where $EXTERNAL_INTERFACE, $IPADDR and $UNPRIVPORTS are obvious! Well,
$EXTERNAL_INTERFACE is ppp0 or eth0 or whatever device is connected to the
Internet,
$IPADDR is the ip-address of $EXTERNAL_INTERFACE
$UNPRIVPORTS are port numbers > 1023 specifically "1024:65535"
Conor
--
Conor Daly <conor.daly at oceanfree.net>
Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
9:12am up 1 day, 9:29, 0 users, load average: 0.08, 0.05, 0.02
Hobbiton.cod.ie
9:12am up 1 day, 9:30, 4 users, load average: 0.21, 0.12, 0.11
More information about the Techtalk
mailing list