On Wed, 20 Dec 2000, Michael Rothwell wrote:
>"Michael H. Warfield" wrote:
>> I think that's more than a little overstatement on your
>> part. It depends entirely on the application you intend to put
>> it to.
>
>Fine. How do I make FTP work through it? How can I allow all outgoing
>TCP connections without opening the network to inbound connections on
>the ports of desired services?
/etc/sysctl.conf:
# Set local port range to be higher.
net.ipv4.ip_local_port_range = 32768 33792
/etc/ftpaccess:
passive ports 0.0.0.0/0 32768 36863
Firewall script:
-----------------
STDPORT=32768:33792
IP=1.2.3.4/32
# Client FTP
ipchains -A output -j ACCEPT -p tcp -s $IP $STDPORT -d 0.0.0.0/0 ftp-data -y -l
ipchains -A output -j ACCEPT -p tcp -s $IP $STDPORT -d 0.0.0.0/0 ftp-data
ipchains -A output -j ACCEPT -p tcp -s $IP $STDPORT -d 0.0.0.0/0 ftp -y -l
ipchains -A output -j ACCEPT -p tcp -s $IP $STDPORT -d 0.0.0.0/0 ftp
# Server FTP
ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 ftp-data -d $IP $STDPORT # Needs SYN
ipchains -A input -j ACCEPT -p tcp -s 0.0.0.0/0 ftp -d $IP $STDPORT ! -y
[now deny all for all chains]
Unfortunately, any FTP server that doesn't use port 20 for data streams
won't work in Passive mode (oh well). So I just download elsewhere first
and then get it locally for browsers that insist upon Passive.
For allowing outgoing connections without inbound, you'd use:
ipchains -A input -j DENY -p tcp -y
or if that complains:
ipchains -A input -j DENY -p tcp -s 0.0.0.0/0 -d $IP -y
You'll notice above I used '! -y' on the Server FTP rule. If I missed a
detail, it might be due to trying to condense everything I have into what
you wanted.
-George Greer
(7,323 and 189 lines in my firewall rule script.)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Dec 23 2000 - 21:00:28 EST