Ubuntu – Configuration of iptables (verfication, actives services, allow FTP)

configurationftpiptables

I’m experimenting with IPT's (iptables) in Xubuntu.

First experimentation wato allow all OUTPUT traffic and block all INPUT except already existing TCP connections can somebody verify if these are correct

enter image description here

To go a bit more advanced I'm trying to allow als TCP connections to active services on my workstation. My idea is to do a nmap scan and grep the listening/open ports but I'm probably over thinking it.

Finally I'm trying to allow FTP.
I used this additional rule to allow FTP but it seems I still get blocked

sudo iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

Best Answer

FTP is a bit odd in that to allow inbound traffic on port 21 and outbound traffic on port 20 :

sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT

In addition ftp will use a random higher port. To allow this you need to load the ip_conntrack_ftp module on boot. Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file to read

IPTABLES_MODULES="ip_conntrack_ftp"

You will still need a way to save your iptables configuration and restore it when you boot. Ubuntu does not have a simple way of doing this. Basically you can either use /etc/rc.local or disable NetworkManager and use networking scripts.

First save your rules:

sudo iptables-save /etc/iptables.save

Method 1 : Edit /etc/rc.local and add the line

iptables-restore /etc/iptables.save

Method 2 : Edit /etc/network/interfaces and use "post-up" to bring our iptables rules up.

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
post-up /sbin/iptables-restore /etc/iptables.save

Then reboot.

The preferred method is probably to use UFW

sudo ufw allow ftp

UFW is the fedault tool for Ubuntu, uses syntax very similar to iptables, and is enabled and restored on rebooting.

See:

https://serverfault.com/questions/38398/allowing-ftp-with-iptables

http://slacksite.com/other/ftp.html

http://bodhizazen.com/Tutorials/iptables

https://help.ubuntu.com/community/UFW

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

When you send a HTTP request to the other server, you're using TCP. First, a SYN packet go outside to the other server from a random high port, then you'll receive a ACK response. Finally you send SYN/ACK to the server and the server responds with the requested document (in multiple packets). Your rules do not allow the ACK packet to be received and therefore the connection cannot be established. Add a rule like:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

You don't get iptables logs for free. Your rules should look like:

# if no rule matched, the input should be dropped
-P INPUT DROP

-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# etc

# the limit prevents your logs from being flooded if there are a lot packets being captured
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied" --log-level debug

Note that I've omitted iptables before the commands, I recommend using iptables-restore (or iptables-apply for testing) to avoid locking yourself out if a rule fails to apply. The file to be passed to the command looks like:

*FILTER
# your rules here, for example:
-P INPUT DROP
-P INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT

A newline after the COMMIT line is mandatory.

By default, the entries go to /var/log/kern.log. Not good if you want to differentiate between kernel and iptables messages, so create a filter for rsyslog in /etc/rsyslog.d/iptables.conf containing:

:msg,contains,"iptables denied" /var/log/iptables.log
& ~

This will filter iptables errors and send those to /var/log/iptables.log.

Best Answer

Related Solutions

Ubuntu – Which INPUT rules do I need to add to iptables so apt (apt-get, aptitude) can work (update, upgrade, search, install)

Related Question