在實際工作中,可用以下指令碼架設一台很安全的內部FTP伺服器;當然也可以配合Wireshark理解vsftpd的被動與主動的區別,以本機192.168.0.18為例,指令碼如下:
#!/bin/bash
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
#開啟ip轉寄功能
echo “1″ > /proc/sys/net/ipv4/ip_forward
#載入ftp需要的一些模組功能
modprobe ip_conntrack_ftp
modprobe ip_conntrack-tftp
modprobe ip_nat_ftp
modprobe ip_nat_tftp
#為了更安全,將OUTPUT預設策略定義為DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD ACCEPT
#開放原生lo環回口,建議開放,不開放的會出現些莫名其妙的問題
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#下面的指令碼是架設安全的vsftpd關健,後二句指令碼是允許存取伺服器向用戶端作回應的和已建立串連的資料包,因被動FTP比較複雜,六次握手,所以這裡採用狀態來做
iptables -A INPUT -s 192.168.0.0/24 -p tcp –dport 21 -j ACCEPT
iptables -A OUTPUT -d 192.168.0.0/24 -p tcp –sport 21 -j ACCEPT
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
