Configuration of firewall firewall under Linux

Recently in the study of Linux firewall configuration, found that the firewall after the deployment of a problem, has been unable to filezilla and CuteFTP login, in the list of directories will always fail. But under the command line, if you first perform passive off, everything works.

The answer is found on the CU, mainly to use the IP_CONNTRACK_FTP

Original:

Network access due to use-P INPUT DROP is normal, but FTP connectivity fails?

According to the previous approach, only open FTP port 21 service, the other is prohibited, will generally be configured to use:

Iptables-p INPUT DROP

Iptables-a input-m State--state established-j ACCEPT

Iptables-a input-p TCP--dport 21-j ACCEPT

Iptables-p INPUT DROP

Iptables-a input-m State--state established-j ACCEPT

Iptables-a input-p TCP--dport 21-j ACCEPT

Such a configuration, verify that the FTP client can be connected to the FTP host and see the Welcome login screen, but the follow-up to browse the file directory and files to crawl when the error occurred ...

The FTP protocol itself can also distinguish between the use of active mode and passive mode in the data Channnel, and in passive mode, the protocol allows FTP client to connect to the FTP server itself Specifies that the connection port is larger than the 1024 port for transmission of data.

This configuration may be normal for use with active FTP transport, but there is an error using passive mode because the host firewall rule configuration does not allow FTP client to connect to the port specified by FTP server to raise this issue.

To solve this problem, a helper named Ip_conntrack_ftp in iptables can intercept the FTP protocol command that connects to the port of 21 and provide iptables with the configuration of Firwewall rules. Use. The Open practice is:

Modprobe ip_conntrack_ftp

Iptables-p INPUT DROP

Iptables-a input-m State--state established,related-j ACCEPT

Iptables-a input-i lo-j ACCEPT

Iptables-a input-p TCP--dport 21-j ACCEPT

Modprobe ip_conntrack_ftp

Iptables-p INPUT DROP

Iptables-a input-m State--state established,related-j ACCEPT

Iptables-a input-i lo-j ACCEPT

Iptables-a input-p TCP--dport 21-j ACCEPT

One of the other RELATED projects in the-M state section is the active, stateful package, but because the wired architecture with existing FTP triggers an otherwise active set of projects.

However, if the host FTP service is not port 21, please use the following ways to adjust:

CODE:

Modprobe ip_conntrack_ftp ports=21,30000

Iptables-p INPUT DROP

Iptables-a input-m State--state established,related-j ACCEPT

Iptables-a input-i lo-j ACCEPT

Iptables-a input-p TCP--dport 21-j ACCEPT

Iptables-a input-p TCP--dport 30000-j ACCEPT

Modprobe ip_conntrack_ftp ports=21,30000

Iptables-p INPUT DROP

Iptables-a input-m State--state established,related-j ACCEPT

Iptables-a input-i lo-j ACCEPT

Iptables-a input-p TCP--dport 21-j ACCEPT

Iptables-a input-p TCP--dport 30000-j ACCEPT

That is, the host itself provides FTP services on port 21 and 30000, so ip_conntrack_ftp this FTP helper can normally provide FTP client use passive mode access without problems.