[Techtalk] ipchains and ftp

Conor Daly conor.daly at oceanfree.net
Sat Jun 16 09:17:46 EST 2001


On Sat, Jun 16, 2001 at 01:04:36AM -0400 or so it is rumoured hereabouts, 
kath thought:
> I have a strong ipchains firewall w/ a default policy of deny (of course).
> 
> However, since I did it, I can't ftp out from any machine inside the network or even the firewall itself.
> 
> What rules do I specificly need?  I have ip_masq_ftp running.
> 
> Thanks!
> 
> kath

Here's my relevant ruleset

    /sbin/modprobe ip_masq_ftp

    # ------------------------------------------------------------------
    # FTP client (21)"
    # ---------------

    # outgoing request
    /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp  -s $IPADDR $UNPRIVPORTS --destination-port 21 -j ACCEPT 

    # PORT mode data channel"
    /sbin/ipchains -A input  -i $EXTERNAL_INTERFACE -p tcp  --source-port 20 -d $IPADDR $UNPRIVPORTS -j ACCEPT 

    /sbin/ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y -s $IPADDR $UNPRIVPORTS --destination-port 20 -j ACCEPT 

where $EXTERNAL_INTERFACE, $IPADDR and $UNPRIVPORTS are obvious!  Well, 

$EXTERNAL_INTERFACE is ppp0 or eth0 or whatever device is connected to the
Internet,
$IPADDR is the ip-address of $EXTERNAL_INTERFACE
$UNPRIVPORTS are port numbers > 1023 specifically "1024:65535"

Conor
-- 
Conor Daly <conor.daly at oceanfree.net>

Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
  9:12am  up 1 day,  9:29,  0 users,  load average: 0.08, 0.05, 0.02
Hobbiton.cod.ie
  9:12am  up 1 day,  9:30,  4 users,  load average: 0.21, 0.12, 0.11




More information about the Techtalk mailing list