I have 2 LAN's, seperated by a firewall, running iptables on it.
I want only allow ftp access from one to the other LAN.
Server 1 in LAN 1 should have ftp access to Server 2 in LAN 2
Server 2 in LAN 2 should not have ftp access to Server 1 in LAN 1.
Can someone tell me how to set up the rules for that?
Just a guess, but this should work (iptables experts can correct me)
Assume:
server1 IP is 192.168.0.1
server2 IP is 192.168.100.1
# Allow ftp to server 2 from 1
iptables -A INPUT -s 192.168.0.1 -d 192.168.100.1 -p tcp -m tcp --dport 21 -j ACCEPT
# Deny ftp from server 2 to server 1
iptables -A INPUT -s 192.168.100.1 -d 192.168.0.1 -p tcp -m tcp --dport 21 -j DROP
Thx for your reply.
What if the traffic has to be forwarded? Can I just replace INPUT with FORWARD?
For those who want to know, here is the iptables rule to block ftp connection requests from one side, and allow the request from the other:
# ftp control connection
iptables -A FORWARD -i eth1 -o eth0 -p TCP --sport 1024:65535 --dport ftp -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -p TCP ! --syn --sport ftp --dport 1024:65535 -j ACCEPT
! --syn
Means, there's no connection request. Therefore, the packet can continue it's way through the firewall.
Just in case somebody wants to know.
What should be done if I want to use passive mode? I think that these two lines above will not be sufficient
These two lines are just for the control connection. For the data transfer, two more lines have to be added:
iptables -A FORWARD -i $eth0 -o $eth1 -p TCP --sport ftp-data --dport 1024:65535 -j ACCEPT
iptables -A FORWARD -i $eth1 -o eth0 -p TCP --sport 1024:65535 --dport ftp-data -j ACCEPT
This is for the active mode.
If you want to use passive mode, change the port from "ftp-data" to "1024:65535" in the two lines above. Although I didn't try it, it should work fine.