I have a Linux server and the default INPUT
actions is DROP
.
OUTPUT
and FORWARD
are both ACCEPT
.
Which rule do I have to add to enabled the machine to establish an FTP session as FTP client.
The server is not an FTP-server. Here is my firewall rules.
Why I could not ping any remote machine or anything about OUTPUT.
# Generated by iptables-save v1.4.12 on Wed Oct 10 15:30:17 2012
*nat
:PREROUTING ACCEPT [379:59440]
:INPUT ACCEPT [162:34762]
:OUTPUT ACCEPT [5008:361967]
:POSTROUTING ACCEPT [5008:361967]
COMMIT
# Completed on Wed Oct 10 15:30:17 2012
# Generated by iptables-save v1.4.12 on Wed Oct 10 15:30:17 2012
*filter
:INPUT DROP [8:528]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [201:14768]
:LOGGING - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
UPDATED:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -i ppp+ -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 1701 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A FORWARD -i ppp+ -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Best Answer
As a client, to allow FTP in passive mode, it's enough to allow back-half connections:
though since rules processing is order-sensitive, it's up to you to put that rule in the right place in your INPUT chain. Near the top is probably a good place.
Edit: OUTPUT traffic is allowed, according to the rules you've posted. If you think it's not, it would be helpful to see the running ruleset not the startup ruleset; try
iptables -L -n -v
, and post the output of that.As for PINGs, you're not allowing the backhalves of those in, either. The rule I gave above should start those working, too.