FTPThe connection can be found inIptablesOpen up. Let's see how this works!
The default policy of the INPUT chain of the iptables filter table is set to DROP, and the rest of the chains are ACCEPT. This server is used as an ftp server and must be connected to another ftp server. That is to say, you must open both the source port and the target port to 21:
Iptables-a input-p tcp -- sport 21-j ACCEPT
Iptables-a input-p tcp -- dport 21-j ACCEPT
Is port 21 enabled? No. Let's talk about the ftp protocol first. The ftp protocol is a simple tcp protocol with poor confidentiality (plaintext). Its working principle is that the client first connects to port 21 of the server, and then establishes a connection after three steps of handshake. It should be noted that this connection can only be used to transmit ftp commands. Nothing can be passed through this connection, even if you use the "ls" command to view files.
After a command connection is established, the server needs to establish a data connection. Data connections are divided into active and passive modes ). By default, ftp is in passive mode. You can use the "pass" command to switch between active and passive ftp. The active mode is connected to the client through Port 20, while the passive mode is connected to the client through the port after Port 1024. Because ports later than 1024 are randomly allocated, in passive mode, we do not know what ports the server uses to connect to the client. That is to say, we do not know what port iptables should open.
At first, I used
Iptables-A input-p TCP/IP -- sport 1024: -- dport 1024:-j ACCEPT
To allow the ftp to establish a passive connection. However, if this is the case, it means that all p2p connections are open and insecure.
So I asked the user on the CU and finally found the solution:
1. Load modules.
Modpobe ip_nat_ftp
Modpobe ip_conntrack
Modpobe ip_conntrack_ftp
2. Add a rule:
Iptables-a input-m state -- state ESTABLISHED, RELATED-j ACCEPT
Allow passive access maintained by the connection.
The problem is finally solved.
For more information, see iptables FTP settings.
Iptables:
Allow access to the ftp server, regardless of the mode;
Except xxx. xxx. xxx.123, all connections to all machines are dropped, except for ftp,
I have always failed to set these two rules. I hope the experts can help me. Thank you!
I have already solved this problem.
Haha, paste it out. Let's see if there is any problem...
Iptables-a input-s xxx. xxx. xxx.123-j ACCEPT
Iptables-a input-p tcp-s! Xxx. xxx. xxx.123-j ftp
Iptables-A ftp-m state -- state RELATED, ESTABLISHED-j ACCEPT
Iptables-A ftps-s 0/0-j DROP
Through the above detailed explanation, we understand the specific method of enabling ftp connection under iptables, and hope it will be useful to you!