Linux Bash:设置iptables规则以允许主动和被动FTP

Question

我有一台安装了FTP服务器的PC.我想设置iptables规则以允许主动和被动FTP.我尝试过以下人们报告的代码正在运行,但它似乎阻止了我的所有流量(页面将不再加载等)

#!/bin/bash

IPT=/sbin/iptables
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

# Setting default filter policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT

# Allow FTP connections @ port 21
$IPT -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow Active FTP Connections
$IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# Allow Passive FTP Connections
$IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT

Answer 1

从你的问题我想你有一些琐碎的主机与常见的应用程序集,如Web浏览器,邮件客户端,可能是telnet和|或ssh-client,也可能是ftp-client,可能是一些IM等等.这些应用程序正常工作,您还希望此主机上的FTP服务器可以在主动和被动模式下为将要连接的客户端工作.以下是适用于此情况的3个规则块.常见规则块是适用于大多数客户端主机的简约规则集.接下来是ftp-client的规则块,如果你在你的主机上有这样的规则.ftp-client的规则与其他客户端的规则略有不同:始终有两个连接用于启用数据传输:ftp-control(端口21)和ftp-data(Active模式下的端口20或Passive模式下的随机端口).您很可能永远不会需要Active模式的客户端规则,因为Passive模式是NATed网络的唯一选择.

FTP服务器的规则在最后一个块中.

请检查内核中是否有ip_conntrack_ftp(可能命名为nf_conntrack_ftp):

> lsmod | grep conn

如果你没有这个内核模块,那么'RELATED'规则将不起作用,并且最有可能的是,当'PORT'命令之后主要的ftp-control连接将挂起时,单独的ftp-data连接将无法启动.在这种情况下,您仍然可以强制执行ftp-data连接,但是由于调整规则提供的降级安全性.调整在规则之前的评论中.

临

#!/bin/bash
IPT=/sbin/iptables

$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

# Block of common rules #####################################################
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT  -i lo -j ACCEPT

$IPT -A OUTPUT -p icmp -j ACCEPT
$IPT -A INPUT  -p icmp -j ACCEPT

# allow DNS queries and replies
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPT -A INPUT  -p udp --sport 53 -j ACCEPT

# allow all Your possible client applications to work 
$IPT -A OUTPUT -p tcp -m multiport --dports ssh,telnet,http,https,xmpp-client,aol,smtp,pop3,imap2,imap3 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT  -p tcp -m multiport --sports ssh,telnet,http,https,xmpp-client,aol,smtp,pop3,imap2,imap3 -m state --state RELATED,ESTABLISHED   -j ACCEPT
# End of block of common rules ##############################################


# If You have ftp-client too, this block of rules 
# will allow it to work with external ftp servers in both modes.
#
# First, allow ftp-control at client side:
$IPT -A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
$IPT -A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
#
# Then allow ftp-data Active Mode at client side:
# Client accepts RELATED connection from server port 20 
# to client port number negotiated in ftp-control connection.
# nf_conntrack_ftp is REQUIRED at client host 
# to pick up this client port number from payload of ftp-control packets,
# otherwise You are forced to use 'NEW' instead of 'RELATED'.
# And in the case of 'NEW' You allow connection to ANY port of Your host!
$IPT -A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
#
# Finally, allow ftp-data Passive Mode at client side:
# Client starts RELATED connection from random own high port number 
# to server fixed high port number negotiated in ftp-control connection.
# nf_conntrack_ftp is REQUIRED again at client host 
# to pick up this client port number from payload of ftp-control packets, 
# otherwise You are forced to use 'NEW' instead of 'RELATED' !
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp  -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT    

#######[ Block of rules needed for Local FTP Server ]#######
# This block of rules allows clients to access Your FTP server at this host
# either in Active or Passive mode. 
# You may need to enable Passive mode in FTP server config file,
# e.g. with pasv_enable=yes in /etc/vsftpd.conf if vsftpd is Your choice.
#
# Ftp-control at server side:
# (some example rules are given below just to show 
# how You can selectively restrict access to Your FTP server):
$IPT -A INPUT -s 1.2.3.0/24 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
$IPT -A INPUT -s 5.6.7.8/32 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 
$IPT -A OUTPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 
#
# Ftp-data Active Mode at server side:
# Server starts RELATED connection from server port 20 
# to client port number negotiated in ftp-control connection.
# nf_conntrack_ftp is REQUIRED to pick up this client port number
# from payload of ftp-control packets, 
# otherwise You are forced to use 'NEW' instead of 'RELATED' !
$IPT -A OUTPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -A INPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT 
#
# Ftp-data Passive Mode at server side:
# Server accepts RELATED client connection from random client high port number
# to own fixed high port number negotiated in ftp-control connection.
# nf_conntrack_ftp is REQUIRED to pick up this own fixed high port number
# from payload of ftp-control packets,
# otherwise You are forced to use 'NEW' instead of 'RELATED'.
# And in the case of 'NEW' You allow connection to ANY high port of Your server!
$IPT -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPT -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT 
######

Answer 2

该代码仅允许传入和传出FTP连接.它不允许任何其他进/出.

 $IPT -P INPUT DROP

丢弃所有传入的流量.因此,如果您从那开始,您将希望将流量启用到您已经运行的任何其他您想要允许的服务中.

 $IPT -A INPUT  -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A OUTPUT -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT

此规则将允许传入的FTP流量.

解释此脚本的作用/删除所有现有IP表链,然后添加规则以允许所有传出流量并阻止除FTP之外的所有传入流量.

Answer 3

需要在#Ellow FTP connections @ port 21部分中翻转INPUT和OUTPUT行的参数,否则将阻止新的(活动的)FTP连接.

# Allow FTP connections @ port 21
$IPT -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT