I am running Centos 4.2 and trying to protect an FTP server on localhost with iptables.
I have one remote user with predictable IP address that will be connecting.
Before getting into the proper way of proceeding I decided to allow all traffic to and from this IP address. But it doesn't work; there is trouble with the data port (can log in but cannot list contents).
Here is my file:
-------------------
*filter:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 19638 -j ACCEPT
-A INPUT -s -j ACCEPT
-A OUTPUT -d -j ACCEPT
-A OUTPUT -m state --state NEW -m tcp -p tcp --sport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
-------------------
If someone can let me know why this does not work I would be very happy.
I would really like to have passive FTP traffic configured correctly. I do not like allowing all traffic from an address. I believe I have the correct modules loaded:
# modprobe -l *ftp /lib/modules/2.6.9-34.EL/kernel/net/ipv4/ipvs/ip_vs_ftp.ko /lib/modules/2.6.9-34.EL/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko /lib/modules/2.6.9-34.EL/kernel/net/ipv4/netfilter/ip_conntrack_tftp.ko /lib/modules/2.6.9-34.EL/kernel/net/ipv4/netfilter/ip_nat_ftp.ko /lib/modules/2.6.9-34.EL/kernel/net/ipv4/netfilter/ip_nat_tftp.ko
Thank you very much, Peter