Configuration of iptables (verfication, actives services, allow FTP)
I’m experimenting with IPT's (iptables) in Xubuntu.
First experimentation wato allow all OUTPUT traffic and block all INPUT except already existing TCP connections can somebody verify if these are correct
To go a bit more advanced I'm trying to allow als TCP connections to active services on my workstation. My idea is to do a nmap scan and grep the listening/open ports but I'm probably over thinking it.
Finally I'm trying to allow FTP.
I used this additional rule to allow FTP but it seems I still get blocked
sudo iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
Solution 1:
FTP is a bit odd in that to allow inbound traffic on port 21 and outbound traffic on port 20 :
sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
In addition ftp will use a random higher port. To allow this you need to load the ip_conntrack_ftp module on boot. Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file to read
IPTABLES_MODULES="ip_conntrack_ftp"
You will still need a way to save your iptables configuration and restore it when you boot. Ubuntu does not have a simple way of doing this. Basically you can either use /etc/rc.local
or disable NetworkManager and use networking scripts.
First save your rules:
sudo iptables-save /etc/iptables.save
Method 1 : Edit /etc/rc.local
and add the line
iptables-restore /etc/iptables.save
Method 2 : Edit /etc/network/interfaces
and use "post-up" to bring our iptables rules up.
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
post-up /sbin/iptables-restore /etc/iptables.save
Then reboot.
The preferred method is probably to use UFW
sudo ufw allow ftp
UFW is the fedault tool for Ubuntu, uses syntax very similar to iptables, and is enabled and restored on rebooting.
See:
https://serverfault.com/questions/38398/allowing-ftp-with-iptables
http://slacksite.com/other/ftp.html
http://bodhizazen.com/Tutorials/iptables
https://help.ubuntu.com/community/UFW
Solution 2:
If you are new to iptables, you may want to use either gufw or ufw to set up rules initially. You can use rules as simple as "allow incoming ftp" instead of needing to understand all of the special flags to make it work. They will also allow you to set up advanced rules if you need to.
Both ufw and gufw create iptables rules behind the scenes.