IPTables + Ports

[Andy_m]

Hello

Well I managed to get the IPTables working fine, then I added a new domain and gave it one of the two IP's, this wont let FTP connect

/etc/sysconfig/iptables

It has the entire port range enabled.

So I am thinking this IPTable is binding to one IP only?

# Generated by iptables-save v1.3.5 on Wed Aug 12 12:45:11 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:130]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 69 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 69 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 35000:35999 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8002 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9001 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2222 -m state --state NEW -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Aug 12 12:45:11 2009

Any idea how to resolve this?

 

[floyd]

iptables does not "bind" to an ip address.

What is the domain, ip, and which one are you using to connect to ftp? There could be a lot of reasons why ftp does not allow a connection.

What ip does work for ftp?

 

[Andy_m]

iptables does not "bind" to an ip address.

What is the domain, ip, and which one are you using to connect to ftp? There could be a lot of reasons why ftp does not allow a connection.

What ip does work for ftp?

I dont want to give details so will use examples.

DomainA and IPA works both for FTP.
DomainB with its own IPB wont work either via ftp or domain if IPTables is on, when switched off it works fine.

When connecting to IPA using ftp user details from DomainB it says incorrect login.

When connecting via IPB or DomainB it connects to port 21 but then uses a random port higher than whats on the IPTable allowed list, but even when it random connects to a port in that range it stills says this.

[13:51:27] SmartFTP v3.0.1034.0
[13:51:28] Resolving host name "88.#08.###.13"
[13:51:28] Connecting to 88.#08.###.13 Port: 21
[13:51:28] Connected to 88.#08.###.13.
[13:51:28] 220 ProFTPD 1.3.1 Server ready.
[13:51:28] USER andy
[13:51:28] 331 Password required for andy
[13:51:28] PASS (hidden)
[13:51:28] 230 User andy logged in
[13:51:28] SYST
[13:51:28] 215 UNIX Type: L8
[13:51:28] Detected Server Type: UNIX
[13:51:28] RTT: 10.851 ms
[13:51:28] FEAT
[13:51:28] 211-Features:
[13:51:28]  MDTM
[13:51:28]  REST STREAM
[13:51:28]  SIZE
[13:51:28] 211 End
[13:51:28] PWD
[13:51:28] 257 "/" is the current directory
[13:51:28] CWD /domains/andrew###.co.uk/public_html/en/wp-content
[13:51:28] 250 CWD command successful
[13:51:28] PWD
[13:51:28] 257 "/domains/andrew###.co.uk/public_html/en/wp-content" is the current directory
[13:51:28] TYPE A
[13:51:28] 200 Type set to A
[13:51:28] PASV
[13:51:28] 227 Entering Passive Mode (88,208,###,13,177,224).
[13:51:28] Opening data connection to 88.208.###.13 Port: 45536
[13:51:28] LIST -aL
[13:51:49] A connection attempt failed because the connected party did not properly respond after a period of time,

 

[Andy_m]

just to mention the above is with IPTables on, can connect fine with IPTables off but thats not secure

 

[floyd]

Examples will not allow us to test it for you.

You should probably just use KISS firewall. Its a lot easier than trying to set it up yourself.

 

[Andy_m]

Examples will not allow us to test it for you.

You should probably just use KISS firewall. Its a lot easier than trying to set it up yourself.

Would this conflict with DA and also is there and easy install guide for CentOS 5.3 32bit?

 

[floyd]

Would this conflict with DA?

If you spend any time researching here on the forum you will see that it is one of the recommended firewalls.

and also is there and easy install guide for CentOS 5.3 32bit?

Each install for each person is unique. You could follow my guide but you may not want or understand what I do. I have 4 pages in small print of stuff I do for a server. You need to learn what you want for your server.

 

[Andy_m]

If you spend any time researching here on the forum you will see that it is one of the recommended firewalls.



Each install for each person is unique. You could follow my guide but you may not want or understand what I do. I have 4 pages in small print of stuff I do for a server. You need to learn what you want for your server.

Lol fair point with me not searching the forums.

 

[nobaloney]

I've got two versions of kiss available on my download pages, here. One of them should work on your DirectAdmin server, and the lines at the top are self explanatory as to where to put the file and how to run it, and where to make changes.

There may be other versions of kiss available elsewhere.

Jeff

 

[R1Lover]

I use and like csf/lfd it's a plugin for da as well.

just my .02