Linux的击：设置iptables规则允许主动和被动FTP [英] Linux Bash: Setting iptables rules to allow both active and passive FTP

问题描述

我的电脑上我已经安装了FTP服务器。我想设置的iptables规则允许主动和被动FTP。我试过以下code的人报告工作，但似乎阻止所有对我来说车辆（页面将不会加载了等）

 ＃！/斌/庆典IPT = / sbin目录/ iptables的
$ IPT -F
$ IPT -X
$ IPT -t NAT -F
$ IPT -t NAT -X
$ IPT -t轧-F
$ IPT -t轧-X
/ sbin目录/ modprobe的ip_conntrack中
/ sbin目录/ modprobe的ip_conntrack_ftp＃设置默认过滤策略
$ IPT -P INPUT DROP
$ IPT -P OUTPUT ACCEPT＃允许FTP连接端口@ 21
$ IPT -A INPUT -p根据tcp --sport 21 -m状态--state ESTABLISHED -j ACCEPT
$ IPT -A OUTPUT -p tcp的--dport 21 -m状态--state NEW，ESTABLISHED -j ACCEPT＃允许主动FTP连接
$ IPT -A INPUT -p根据tcp --sport 20 -m状态--state ESTABLISHED，RELATED -j ACCEPT
$ IPT -A OUTPUT -p tcp的--dport 20 -m状态--state ESTABLISHED -j ACCEPT＃允许被动FTP连接
$ IPT -A INPUT -p根据tcp --sport 1024：1024 --dport：-m状态--state ESTABLISHED，RELATED -j ACCEPT
$ IPT -A OUTPUT -p tcp的--sport 1024：1024 --dport：-m状态--state ESTABLISHED，RELATED -j ACCEPT
 

解决方案

这code只允许传入和传出FTP连接。它不允许别的输入/输出。

  $ IPT -P INPUT DROP
 

删除所有的传入流量。所以，如果你开始，你会希望启用流量转化为所有正在运行的其他服务，你想允许。

  $ IPT -A INPUT -p tcp的--sport 21 -m状态--state NEW，ESTABLISHED -j ACCEPT
 $ IPT -A OUTPUT -p tcp的--dport 21 -m状态--state ESTABLISHED -j ACCEPT
 

此规则将允许传入的FTP流量。

这个脚本是一种解释/所做的就是删除所有现有的IP表链，然后将其添加规则，以允许所有传出流量并阻止除FTP所有传入的通信。

I have a PC on which I have a FTP server installed. I want to set the iptables rules to allow both active and passive FTP. I've tried the following code that people report is working, but it seems to block all traffic for me (pages won't load anymore etc)

#!/bin/bash

IPT=/sbin/iptables
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

# Setting default filter policy
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT

# Allow FTP connections @ port 21
$IPT -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow Active FTP Connections
$IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# Allow Passive FTP Connections
$IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT

解决方案

That code ONLY allows incoming and outgoing FTP connections. It doesn't allow anything else in/out.

 $IPT -P INPUT DROP

Drops all incoming traffic. So if you start with that, you'll want to enable traffic into any other services you have running that you'd like to allow in. .

 $IPT -A INPUT  -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 $IPT -A OUTPUT -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT

This rule would allow incoming FTP traffic.

An explanation of what this script is/does is it deletes all of your existing IP Tables chains, then it adds rules to allow all outgoing traffic and block all incoming traffic except for FTP.

这篇关于Linux的击：设置iptables规则允许主动和被动FTP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！