raffe's questions -server

raffe

Asked: 2016-10-27 06:22:55 +0800 CST

Are my iptables for FTPS with TLS OK?

I have tried to Google around to get a iptable for my FTPS with TLS (proftpd) working with the iptables killswitch I now have working (see https://www.reddit.com/r/linuxquestions/comments/57mga5/is_my_iptables_killswitch_working_have_some_p/ ).

I use port 10210 for the FTPS and 60100-60119 for passive ports, this traffic don't go thru the VPN. I have come up with this (they are above the last drop lines):

# Allow traffic via TLS FTPS
iptables -A INPUT -p tcp -m tcp --dport 10210 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# It seems to be working without the line under
#iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 10210:60119 --dport 60100:60119 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A OUTPUT -p tcp -m tcp --dport 10210 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# It seems to be working without the line under
#iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 10210:60119 --dport 10210:60119 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

It seems to work, but as I am a iptables noob, I'm wondering what I have done wrong (I probably have ;), not sure about the port ranges and maybe it is to open?)

EDIT I had problems with connections, so I have changed to this that work better

-A INPUT -p tcp -m tcp --dport 10210 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 10210 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 60100:60119 -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 10210 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 10210 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 60100:60119 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 60100:60119 -j ACCEPT

I will later, after reading http://ipset.netfilter.org/iptables-extensions.man.html , try this instead of the port ranges above

iptables -A INPUT -p tcp --dport 60100:60119 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 60100:60119 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 60100:60119 -m conntrack --ctstate NEW,ESTABLISHED,RELATED-j ACCEPT

And remove -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT and also I wonder if I actually also should remove -m conntrack --ctstate NEW,ESTABLISHED for 10210 as it IS the incoming port for the FTPS?

Are my iptables for FTPS with TLS OK?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?