Help - Search - Members - Calendar
Full Version: Ip Filtering
Linuxhelp > Support > Technical Support
I'm running an FTP server on my linux machine, but it's probably insecure as hell. One of the things I'd like to do is set up an IP filter (I believe this is the correct term; it blocks a remote ip address on all ports). How would I go about doing that?

well I would begin with something like this

cd /home
vi iptables

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

making the default rule DROP every packet that hits us

iptables -A input -s -j ACCEPT
iptables -A input -i eth0 -j ACCEPT
iptables -m state --state RELATED,ESTABLISHED -j ACCEPT

so we allow localhost to send packets to the firewall
we allow eth0 wich is internal lan to send packets to the firewall
but we only allow packets that are related or established to be sent to us from the internet

iptables -A OUTPUT -s -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

we allow localhost to get out
we allow all packets to leave the firewall freely (it might be a good idea to later do some aditional port filtering, please check and run SHIELDSUP! [tm] and check what ports are vurneable to the most dangerous attack and you can block those ports, for example a virus hits you and it uses some well known port to spread , and if you block that port, you would do a great help to the rest of us by not allowing it to spread further from your location)

the forward rules are those stuff that go trough the firewall machine ... you should definitely read up a iptables howto ... for example there are really good documentations on tldp just tldp iptables howto

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
itpables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

we allow internal lan to go freely trough the firewall to eth1 (internet)
we only allow packets that we requested in some way to come back to us from the internet, see the NEW missing ?

for example then if you want to allow a certain ip address to access FTP services on !!!THIS!!! computer you would do the following

iptables -A INPUT -i eth1 -s -d yyy.yyy.yyy.yyy -p tcp -dport 21 -j ACCEPT

replacing with the remote host
replacing yyy.yyy.yyy.yyy with your public IP address

maybe you could also do it like this

iptables -A INPUT -i eth1 -s -p tcp -dport 21-j ACCEPT

finaly to put these rules into action you could do this

/etc/init.d/iptables stop
source /home/iptables
iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables start

if this works then maybe later you need to modify this you can create a bash script to do the above 4 lines like this

cd /home
vi change_iptables

then put this into that change_iptables file


/etc/init.d/iptables stop &&
source /home/iptables &&
iptables-save > /etc/sysconfig/iptables
/etc/init.d/iptables start

then do a
chmod 755 /home/change_iptables

and if you change something in /home/iptables and want to quickly apply it
just type



cd /home

Robert B
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2018 Invision Power Services, Inc.