我已经完成 iptables 的设置,但是 FTP 登录/连接不起作用。硬件/路由器级别的 NAT/防火墙已正确转发。
我已经添加了 ftp 条目但它似乎不起作用。
问:为什么这里不允许 FTP 连接?
我当前的 iptables 配置是:
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100
ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:29292 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spt:ftp dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:29292 state ESTABLISHED
更新已更新但仍然不允许连接
[root@host ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100
ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere cpc15-bmly9-2-0-custx.2-3.cable.virginm.net tcp spts:1024:65535 dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:29292 state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ctstate ESTABLISHED /* Allow ftp connections on port 21 */
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ctstate RELATED,ESTABLISHED /* Allow ftp connections on port 20 */
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 ctstate ESTABLISHED /* Allow passive inbound connections */
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spt:ftp dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- cpc15-bmly9-2-0-custx.2-3.cable.virginm.net anywhere tcp spt:ftp-data dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:29292 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ctstate NEW,ESTABLISHED /* Allow ftp connections on port 21 */
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ctstate ESTABLISHED /* Allow ftp connections on port 20 */
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 ctstate RELATED,ESTABLISHED /* Allow passive inbound connections */
答案1
一些一般性的事情:
- iptables 防火墙中的规则集是按顺序遍历的。
- 简化:当数据包满足允许或拒绝访问的规则时,iptables 处理停止。
- 你可以将 iptables 配置为数据包过滤器,每个数据包都单独检查,或者 有状态的防火墙在考虑连接信息时。
通常,状态防火墙配置中的第一个规则是允许已建立连接的数据包访问。其理念是,对于首先建立的连接,它必须由后续的明确规则允许,并且重复所有后续检查完全是浪费精力(iptables -L -v -n 将显示以下内容):
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2789K 866M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
创建它的语法(显示 iptables 配置的另一种常用符号)是:
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
尽管通常会省略 iptables 命令本身。
您的配置缺少这第一条规则。
后续规则只需要允许您想要允许的协议的新连接,而不是像您之前所做的那样同时允许新连接和已接受连接:
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
但允许 SSH 就足够了:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
您的 FTP 问题:FTP 是一个奇怪的协议,因为二连接。第一个是控制连接,默认情况下,FTP 服务器将监听 TCP 端口 21。
控制连接用于身份验证和发出命令。实际的文件传输和目录列表输出等内容将通过第二个 TCP 连接,即数据连接。在主动 FTP 中,数据连接将从 FTP 服务器的 TCP 端口 20 发起并连接到 FTP 客户端。主动 FTP 对防火墙和 NAT 网关后面的用户不太适用,并且已基本不再使用。
大多数 FTP 服务器都支持被动 FTP。使用被动 FTP,FTP 服务器在第二个端口上打开一个用于数据连接的侦听器,然后 FTP 客户端可以连接到该端口。防火墙的问题是数据端口可以是 1024-65536 之间的任何可用的非特权端口。
在无状态防火墙中,通常通过限制 FTP 服务器可以分配的被动端口数量,然后明确打开这些端口来解决。例如,将被动范围限制为端口 21000-21050 并且:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --match multiport --dports 21000:21050 -j ACCEPT
在状态防火墙中,您不需要明确打开 DATA 端口,netfilter 辅助模块将识别分配的动态端口,并通过将 DATA 连接标记为RELATED匹配通用的第一条规则,为正确的客户端动态打开该端口:
iptables -I INPUT -p tcp -m state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
这要求正确的内核模块例如,在 FTP 情况下,通过运行手动加载insmod nf_conntrack_ftp,你可以通过编辑/etc/sysconfig/iptables-config并将辅助模块添加nf_conntrack_ftp到 IPTABLES_MODULES 变量来使其持久化。
笔记:当 FTP 与 SSL 一起使用时,FTP 连接跟踪模块将会失败,因为控制连接将被加密,并且 nf_conntrack_ftp 将无法再读取 PASV 响应。