[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
Archivio: Luglio 2007 ml@sikurezza.org Soggetto: Re: [ml] Server FTP - iptables Mittente: Marco Barbero Data: Tue, 3 Jul 2007 00:03:46 +0200 (CEST)
Il server e' configurato per l'FTP Passivo.
Cercando con l'ausilio di google ho trovato le seguenti regole:
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
Io generalmente uso questo set di regole:
# ftp 21/tcp $IPTABLES -A FORWARD -i $IF_P2P -o $IF_SCREEN -p tcp \ -s 0/0 --sport $UNPRIVPORTS -d $NETSRV --dport 21 \ -m state --state NEW,ESTABLISHED -j ACCEPT
# risposte ftp 21/tcp
$IPTABLES -A FORWARD -i $IF_P2P -o $IF_SCREEN -p tcp \
-s $NETSRV --sport 21 -d 0/0 --dport $UNPRIVPORTS \
-m state --state ESTABLISHED -j ACCEPT
# This will handle passive FTP data transfers $IPTABLES -A FORWARD -i $IF_P2P -o $IF_SCREEN -p tcp \ -s 0/0 --sport $UNPRIVPORTS -d $NETSRV --dport $UNPRIVPORTS \ -m state --state RELATED,ESTABLISHED \ -m helper --helper ftp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_SCREEN -o $IF_P2P -p tcp \
-s $NETSRV --sport $UNPRIVPORTS -d 0/0 --dport $UNPRIVPORTS \
-m state --state ESTABLISHED \
-m helper --helper ftp -j ACCEPT
# This will handle active FTP data transfers $IPTABLES -A FORWARD -o $IF_SCREEN -o $IF_P2P -p tcp \ -s $NETSRV --sport 20 -d 0/0 --dport $UNPRIVPORTS \ -m state --state RELATED,ESTABLISHED \ -m helper --helper ftp -j ACCEPT
$IPTABLES -A FORWARD -i $IF_P2P -o $IF_SCREEN -p tcp \
-s 0/0 --sport $UNPRIVPORTS -d $NETSRV --dport 20 \
-m state --state ESTABLISHED \
-m helper --helper ftp -j ACCEPT
dove NETSRV e' il server FTP in dmz. Commenti? Ridondanze? Migliorie?
[ Home | Liste | F.A.Q. |
Risorse | Cerca... ]
www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005