iptables wget

dk · 2004-08-07 05:44:20

I used the advice below to setup a firewall. I've noticed that I can not use wget to download anything from ftp servers. To check I banged !iptables in /etc/rc.conf and wget will work with ftp sites. What do I add to iptables.rules to have wget work with ftp. Or this like asking how well a screendoor would work on a submarine :?
http://bbs.archlinux.org/viewtopic.php?t=2367

@leX wrote:

It's my simple solution for desktops.
1) Start your browser end make securety test in http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2
2) If iptables not installed
pacman -Sy iptables
else go to #3
3) Under root or su go to /etc/iptables
cd /etc/iptables/
4) copy simple_firewall.rules to iptables.rules
cp simple_firewall.rules iptables.rules
Note: IMXO file simple_firewall.rules contain basic predefined firewall rules
5) Add iptables to rc.config to DAEMONS section
DAEMONS = (SOMETHING iptables !SOMETHING)
6) Reboot your linux box.
7) Start your browser end make securety test in http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2 .
8) See the differents.

cactus · 2004-08-07 09:17:54

dk wrote:

Or this like asking how well a screendoor would work on a submarine :?

Kind of..
First off, ftp is a horrible protocol. Terrible, bad, bad...

ok..now onto the solution...
it depends on the ftp type of the server you are connecting to. Be it passive or active ftp
more info on that here: http://slacksite.com/other/ftp.html

basically, if you are on the client side of a passive ftp connection:
wget --passive-ftp
then you can just use connection tracking in iptables and it should work...
/sbin/iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
the above inserts the rule into the input table as the first rule..you might want to adjust the location of insertion accordingly...

active ftp ....wow..i wish you luck..

if you have need of active ftp, post again, and I will see if I can recall how to do that..

dk · 2004-08-07 21:07:07

cactus thanks-

That did the trick. Thanks for the link...great info.

dk

IceRAM · 2004-08-07 21:34:59

Another solution to make FTP-active connections work through iptables:

in /etc/rc.conf

MODULES=(... ip_conntrack_ftp ...)

That should be enough. Use any ftp client in whatever mode you wish (active or passive).
It will keep your computer closed while ftp active connections are not established. Highly efficient

cactus · 2004-08-07 23:12:27

oooh..good one ice ram.
does it work server side as well, or is it client side specific?

IceRAM · 2004-08-07 23:25:46

ip_conntrack_ftp:
On the client side it is required for active connections (if your default rule for the INPUT Chain is not ALLOW).
On the server side it is required for passive connections (if your default rule for the OUTPUT Chain is not ALLOW).

Conclusion: yes, it works on the server side too.
Extra info on ip_conntrack_ftp (this is quite recent in my mind): http://psi.affinix.com/forums/index.php … f=1&t=1940
(scam the topic, you'll find relevant info inside)

Michel · 2004-08-10 23:06:36

if you should use shorewall one day (or maybe your own script in /etc/rc.d or so ... ?)

Anywa shorewall has a file for this where you specify which modules to load at shorewall start-up:

/etc/shorewall/modules

the ftp,irc and another one I believe are present by default I believe.

Arch Linux

#1 2004-08-07 05:44:20

iptables wget

#2 2004-08-07 09:17:54

Re: iptables wget

#3 2004-08-07 21:07:07

Re: iptables wget

#4 2004-08-07 21:34:59

Re: iptables wget

#5 2004-08-07 23:12:27

Re: iptables wget

#6 2004-08-07 23:25:46

Re: iptables wget

#7 2004-08-10 23:06:36

Re: iptables wget

Board footer