biolocal:Open firewall for proftpd
From Wiki CEINGE
(Difference between revisions)
Revision as of 11:27, 4 October 2007 (edit) Gianluca (Talk | contribs) (New page: First of all restrict the data transfer in a defined range of ports, on the ftp server: Edit the file proftpd.conf and add or modify the following line: <pre> PassivePorts 49152 65534 # 4...) ← Previous diff |
Current revision (12:53, 18 February 2008) (edit) (undo) Gianluca (Talk | contribs) m (Bioinfolocal:open firewall for proftpd moved to biolocal:Open firewall for proftpd: moving to the right namespace) |
Current revision
First of all restrict the data transfer in a defined range of ports, on the ftp server:
Edit the file proftpd.conf and add or modify the following line:
PassivePorts 49152 65534 # 49152-65534, the IANA-registered ephemeral port range
Now the iptables configuration file should be edited to allow connection on the above port range. Edit /etc/sysconfig/iptables:
[root@bpd etc]# cat sysconfig/iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 49152:65534 -j ACCEPT <<== Allow the tranfer on a port range -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT <<== Allow the connection on port 21 -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT