PDA

View Full Version : ftp and iptables



cbrenchley
24th July 2007, 03:02 PM
I am running vsftpd and would like to know if there is a way to squeeze down ftp to restricted ip addresses. I'm not sure if I can use iptables or does vsftpd have a setting that does the same. Please keep it simple, New Bee.

p.s. Thanks a million for all the help I have been getting.

William Haller
24th July 2007, 03:40 PM
Yes, but only for passive FTP. Adjust the 10000-10500 range to suite your needs. These will be for inbound connections.

connect_from_port_20=YES
listen_port=21

port_enable=NO
port_promiscuous=NO
ftp_data_port=20

pasv_enable=YES
pasv_promiscuous=NO
pasv_min_port=10000
pasv_max_port=10500

Then set up the iptables firewall rules to allow the passive range you have specified.

cbrenchley
24th July 2007, 03:53 PM
William, Thanks, I will get on it asap. But I'm not sure how to set up the iptable rules. I would like to have our local intranet to access (10.1.10.0) and one remote ip address. Thanks for the fast response!

William Haller
24th July 2007, 04:10 PM
My suggestion would be to use a GUI firewall builder such as fwbuilder (available through yum). It has a very nice graphical interface, allows you to create named networks and individual IPs, configure your rules based on time of day, enable and disable logging, and manage QOS. It also has a large number of services and service groups predefined. It includes many sample rule sets for common configurations that you can look at or tweak as needed.

You could also use firestarter and add ports through its interface.

There is less likelihood of making an iptables oops with a graphical interface if you aren't familiar with what you are doing. Just start off with everything inbound and outbound disabled and add just the bare minimum that you need to get your box doing the minimum you want.

The nice thing about fwbuilder is that you can manage the firewalls of many systems from one box and use SSH to transmit the new configurations to the remote boxes and restart their firewalls. It will even work in batch mode if the SSH passwords are all the same, allowing you to update a service configuration and let it recompile and batch download any changes for any systems affected by that change. If you go that route, you'll also need to add fwbuilder-ipt for the iptables back end when you install the packages.

cbrenchley
24th July 2007, 08:53 PM
Seem to be having a problem getting iptables to accept my new rules for ftp. I'm trying to get one remote address to use ftp and all others blocked and also be able for the local intranet to access ftp. I can turn ftp on and off through iptables, but the problem is when I enter the ip address. I'm also editing the /etc/sysconfig/iptable file and stoping then starting iptalbes. Any Ideas?

cbrenchley
25th July 2007, 07:18 PM
Ok, I have iptables working great. It lets me ftp with one remote ip address and the local system. Now my problem is that when I upload a file, I need it to be the owned by the user, which works, and have the group = apache. Question: how can I change or have the uploaded file permissions changed to the user/apache?