Question

4

Configuration of iptables (verfication, actives services, allow FTP)

rated 0 times [ 4] [ 0] / answers: 1 / hits: 15658 / 2 Years ago, sun, july 17, 2022, 6:31:57

I’m experimenting with IPT's (iptables) in Xubuntu.

First experimentation wato allow all OUTPUT traffic and block all INPUT except already existing TCP connections can somebody verify if these are correct

enter image description here

To go a bit more advanced I'm trying to allow als TCP connections to active services on my workstation. My idea is to do a nmap scan and grep the listening/open ports but I'm probably over thinking it.

Finally I'm trying to allow FTP.

I used this additional rule to allow FTP but it seems I still get blocked

sudo iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

raacket

Add To Favorites

Follow

Total Points: 198

Total Questions: 114

Total Answers: 111

Location: Czech Republic

Member since Mon, May 15, 2023

1 Year ago

answered 2 Years ago skaing · Accepted Answer

FTP is a bit odd in that to allow inbound traffic on port 21 and outbound traffic on port 20 :

sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT

sudo iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT

In addition ftp will use a random higher port. To allow this you need to load the ip_conntrack_ftp module on boot. Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file to read

IPTABLES_MODULES="ip_conntrack_ftp"

You will still need a way to save your iptables configuration and restore it when you boot. Ubuntu does not have a simple way of doing this. Basically you can either use /etc/rc.local or disable NetworkManager and use networking scripts.

First save your rules:

sudo iptables-save /etc/iptables.save

Method 1 : Edit /etc/rc.local and add the line

iptables-restore /etc/iptables.save

Method 2 : Edit /etc/network/interfaces and use "post-up" to bring our iptables rules up.

auto lo

iface lo inet loopback



auto eth0

iface eth0 inet dhcp

post-up /sbin/iptables-restore /etc/iptables.save

Then reboot.

The preferred method is probably to use UFW

sudo ufw allow ftp

UFW is the fedault tool for Ubuntu, uses syntax very similar to iptables, and is enabled and restored on rebooting.

See:

https://serverfault.com/questions/38398/allowing-ftp-with-iptables

http://slacksite.com/other/ftp.html

http://bodhizazen.com/Tutorials/iptables

https://help.ubuntu.com/community/UFW