Pure FTPD Passive Mode Iptables Howto

Dr. Haider M. al-Khateeb

good morning, these rules not work 🙁 the second (recommended) method

OS: debian8
iptables-rules

# Generated by iptables-save v1.4.21 on Wed Jul 29 13:27:55 2015
*filter
: INPUT DROP [419: 28996]
: FORWARD DROP [0: 0]
: OUTPUT DROP [297: 51910]
: SI_SSH - [0: 0]
: NO_SSH - [0: 0]
: LOGGER - [0: 0]

#Politicas por Defecto
-A INPUT -m state -state ESTABLISHED, RELATED -j ACCEPT
-A OUTPUT -m state -state ESTABLISHED, RELATED -j ACCEPT
-A FORWARD -m state -state ESTABLISHED, RELATED -j ACCEPT

# OUTPUT FIREWALL
-A INPUT -i lo -m state -state NEW -j ACCEPT
-A OUTPUT -m state -state NEW -j ACCEPT

-A INPUT -i eth0 -s 192.168.100.0/24 -p tcp -m tcp –dport 22 -m state –state NEW -j SI_SSH
-A INPUT -p tcp -m tcp -dport 22 -m state -state NEW -j NO_SSH
-A INPUT -i eth0 -s 192.168.100.0/24 -p tcp -m tcp -dport 20 -m state -state NEW -j ACCEPT
-A INPUT -i eth0 -s 192.168.100.0/24 -p tcp -m tcp -dport 21 -m state -state NEW -j ACCEPT

-A SI_SSH -j LOG –log-prefix “SSH: ACCEPT” –log-level 6
-A SI_SSH -j ACCEPT

-A NO_SSH -j LOG –log-prefix “SSH: DENIED” –log-level 6
-A SI_SSH -j DROP

-A INPUT -m state -state NEW -j LOGGER
-A LOGGER -j LOG –log-prefix “INPUT: DROP” –log-level 6

COMMIT
# Completed on Wed Jul 29 13:27:55 2015

Vsftpd: Configurate

listen = NO
listen_ipv6 = YES
anonymous_enable = NO
local_enable = YES
write_enable = YES
local_umask = 022
dirmessage_enable = YES
use_localtime = YES
xferlog_enable = YES
connect_from_port_20 = YES
xferlog_file = / var / log / vsftpd.log
xferlog_std_format = YES
idle_session_timeout = 600
data_connection_timeout = 120
ftpd_banner = This server denied access to clients not autorize
chroot_local_user = YES
ls_recurse_enable = YES
secure_chroot_dir = / var / run / vsftpd / empty
pam_service_name = vsftpd
rsa_cert_file = / etc / ssl / certs / ssl-cert-snakeoil.pem
rsa_private_key_file = / etc / ssl / private / ssl-cert-snakeoil.key
ssl_enable = YES

Connection to port 21 -> OK

Logs INPUT DROP

Jul 31 03:20:37 debian kernel: [120.648489] INPUT: DROP IN = eth0 OUT = MAC = 00: 0c: 29: cd: f0: 48: 00: 0c: 29: 94: b5: 6d: 08: 00 SRC = 192.168.100.9 DST = 192.168.100.6 LEN = 52 TOS = 0x00 PREC = 0x00 TTL = 128 ID = 29182 DF PROTO = TCP SPT = 61908 DPT = 52862 WINDOW = 8192 RES = 0x00 SYN URGP = 0
Jul 31 03:20:40 debian kernel: [123.642300] INPUT: DROP IN = eth0 OUT = MAC = 00: 0c: 29: cd: f0: 48: 00: 0c: 29: 94: b5: 6d: 08: 00 SRC = 192.168.100.9 DST = 192.168.100.6 LEN = 52 TOS = 0x00 PREC = 0x00 TTL = 128 ID = 29185 DF PROTO = TCP SPT = 61908 DPT = 52862 WINDOW = 8192 RES = 0x00 SYN URGP = 0
Jul 31 03:20:46 debian kernel: [129.632838] INPUT: DROP IN = eth0 OUT = MAC = 00: 0c: 29: cd: f0: 48: 00: 0c: 29: 94: b5: 6d: 08: 00 SRC = 192.168.100.9 DST = 192.168.100.6 LEN = 48 TOS = 0x00 PREC = 0x00 TTL = 128 ID = 29187 DF PROTO = TCP SPT = 61908 DPT = 52862 WINDOW = 8192 RES = 0x00 SYN URGP = 0

Reply