Mailing List Archive: Firewall setting

Firewall setting

Sep 8, 2007, 4:56 AM

Post #1 of 3 (8325 views)

Dear All,

For the Firewall setting, how can we use the ftp and ssh service ?

For file 1 :

#!/bin/bash

modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp

iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle

iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT

For file2

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Edward.

Re: Firewall setting [ In reply to ]

omasnjak at gmail

Sep 8, 2007, 10:25 AM

Post #2 of 3 (7880 views)

Permalink

Dear Edward,

it is not very clear what you want to make. If you want to allow ssh
connections to specific host AFAIK the below can help

#!/bin/bash

iptables -F
iptables -t nat -F
iptables -t mangle -F

iptables -X
iptables -t nat -X
iptables -t mangle -X

# Setting policies....Drop everything and later allow what you need

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

Related to ftp, in the following link you will find explanation
related ( or some other source ) to how ftp works.
Link:
http://slacksite.com/other/ftp.html#active

Best wishes

Elvir Kuric

PS: what you mean by this " file 1 " " file 2 "

On 9/8/07, edwardspl@ita.org.mo <edwardspl@ita.org.mo> wrote:
> Dear All,
>
> For the Firewall setting, how can we use the ftp and ssh service ?
>
> For file 1 :
>
> #!/bin/bash
>
> modprobe ip_tables
> modprobe ip_nat_ftp
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
>
> iptables -F
> iptables -X
> iptables -F -t nat
> iptables -X -t nat
> iptables -F -t mangle
> iptables -X -t mangle
>
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t mangle -P PREROUTING ACCEPT
> iptables -t mangle -P POSTROUTING ACCEPT
> iptables -t mangle -P INPUT ACCEPT
> iptables -t mangle -P OUTPUT ACCEPT
> iptables -t mangle -P FORWARD ACCEPT
>
> For file2
>
> iptables -P INPUT DROP
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>
> Edward.
>
>

Re: Firewall setting [ In reply to ]

omasnjak at gmail

Sep 8, 2007, 10:34 AM

Post #3 of 3 (7870 views)

Permalink

update: Related to ftp

http://www.kalamazoolinux.org/presentations/20010417/conntrack.html

at very end of article there is additional explanation related to ftp
/ iptables

Regards

Elvir

On 9/8/07, Elvir Kuric <omasnjak@gmail.com> wrote:
> Dear Edward,
>
> it is not very clear what you want to make. If you want to allow ssh
> connections to specific host AFAIK the below can help
>
> #!/bin/bash
>
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
>
> iptables -X
> iptables -t nat -X
> iptables -t mangle -X
>
> # Setting policies....Drop everything and later allow what you need
>
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD DROP
>
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
>
> Related to ftp, in the following link you will find explanation
> related ( or some other source ) to how ftp works.
> Link:
> http://slacksite.com/other/ftp.html#active
>
> Best wishes
>
> Elvir Kuric
>
> PS: what you mean by this " file 1 " " file 2 "
>
>
>
>
> On 9/8/07, edwardspl@ita.org.mo <edwardspl@ita.org.mo> wrote:
> > Dear All,
> >
> > For the Firewall setting, how can we use the ftp and ssh service ?
> >
> > For file 1 :
> >
> > #!/bin/bash
> >
> > modprobe ip_tables
> > modprobe ip_nat_ftp
> > modprobe ip_conntrack
> > modprobe ip_conntrack_ftp
> >
> > iptables -F
> > iptables -X
> > iptables -F -t nat
> > iptables -X -t nat
> > iptables -F -t mangle
> > iptables -X -t mangle
> >
> > iptables -P OUTPUT ACCEPT
> > iptables -P FORWARD ACCEPT
> > iptables -t nat -P OUTPUT ACCEPT
> > iptables -t nat -P PREROUTING ACCEPT
> > iptables -t nat -P POSTROUTING ACCEPT
> > iptables -t mangle -P PREROUTING ACCEPT
> > iptables -t mangle -P POSTROUTING ACCEPT
> > iptables -t mangle -P INPUT ACCEPT
> > iptables -t mangle -P OUTPUT ACCEPT
> > iptables -t mangle -P FORWARD ACCEPT
> >
> > For file2
> >
> > iptables -P INPUT DROP
> > iptables -A INPUT -i lo -j ACCEPT
> > iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
> > iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> > iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> >
> > Edward.
> >
> >
>