FTP (21) data through Firewall (ipchains)

Neil Pickford neilp at goldweb.com.au
Sat Aug 11 19:06:58 EST 2001


Hello

I have been securing up my server an have established an input
chain where the default is to deny traffic over the dialup connection
to my ISP.  Previously the default was allow. (ipchains)

I have now punched holes in the input chain for just the services
(ports) that I am using, however how do I handle allowing FTP data
connections where I have initiated the FTP connection, but FTP 
chooses a random port number for the data link.  

I could open up all TCP ports from 4096 to 65535 but I think 
that defeats the purpose of the firewall.

Can anyone point me in the right direction here?

Slackware 2.2.13 using ipchains and masquerade to a private class C
Only 1 static IP address in use for the server that is running WWW,
Caching DNS, XNTPD, SMTP & POP3 (all these are working fine)

Typically I am using the following type of commands in the chain.
/sbin/ipchains -A input -j DENY -i ppp+
/sbin/ipchains -A input -j ACCEPT -i ppp+ -s 0/0 21 -d 198.142.100.231
-p tcp

The Forward chain denys all but is masquerading
The Output chain allows all

Neil Pickford
mailto:neilp at goldweb.com.au
http://happy.emu.id.au/




More information about the linux mailing list