sTorm
March 18, 2002, 5:26am
1
I have 2 LAN's, seperated by a firewall, running iptables on it.
I want only allow ftp access from one to the other LAN.
Server 1 in LAN 1 should have ftp access to Server 2 in LAN 2
Server 2 in LAN 2 should not have ftp access to Server 1 in LAN 1.
Can someone tell me how to set up the rules for that?
PxT
March 18, 2002, 3:37pm
2
Just a guess, but this should work (iptables experts can correct me)
Assume:
server1 IP is 192.168.0.1
server2 IP is 192.168.100.1
# Allow ftp to server 2 from 1
iptables -A INPUT -s 192.168.0.1 -d 192.168.100.1 -p tcp -m tcp --dport 21 -j ACCEPT
# Deny ftp from server 2 to server 1
iptables -A INPUT -s 192.168.100.1 -d 192.168.0.1 -p tcp -m tcp --dport 21 -j DROP
sTorm
March 19, 2002, 2:14am
3
Thx for your reply.
What if the traffic has to be forwarded? Can I just replace INPUT with FORWARD?
sTorm
March 20, 2002, 7:38am
4
For those who want to know, here is the iptables rule to block ftp connection requests from one side, and allow the request from the other:
# ftp control connection
iptables -A FORWARD -i eth1 -o eth0 -p TCP --sport 1024:65535 --dport ftp -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP ! --syn --sport ftp --dport 1024:65535 -j ACCEPT
! --syn
Means, there's no connection request. Therefore, the packet can continue it's way through the firewall.
Just in case somebody wants to know.
eNTer
March 29, 2002, 10:54am
5
Originally posted by sTorm
For those who want to know, here is the iptables rule to block ftp connection requests from one side, and allow the request from the other:
# ftp control connection
iptables -A FORWARD -i eth1 -o eth0 -p TCP --sport 1024:65535 --dport ftp -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP ! --syn --sport ftp --dport 1024:65535 -j ACCEPT
! --syn
Means, there's no connection request. Therefore, the packet can continue it's way through the firewall.
Just in case somebody wants to know.
What should be done if I want to use passive mode? I think that these two lines above will not be sufficient
sTorm
April 2, 2002, 1:54am
6
These two lines are just for the control connection. For the data transfer, two more lines have to be added:
iptables -A FORWARD -i $eth0 -o $eth1 -p TCP --sport ftp-data --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $eth1 -o eth0 -p TCP --sport 1024:65535 --dport ftp-data -j ACCEPT
This is for the active mode.
If you want to use passive mode, change the port from "ftp-data" to "1024:65535" in the two lines above. Although I didn't try it, it should work fine.