I had an issue recently where I needed to allow FTP access to a server, as WordPress is a lot happier if you can allow it to (S)FTP to the account to do things. I didn’t want to allow it to clients outside the server, so I had to muck around with the iptables-based firewall I have. To work out what rules I had setup on startup, I checked out the script I have setup on startup on my linux host.
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -p tcp -m multiport --destination-ports (list of ports) -j ACCEPT iptables -A INPUT -p udp -m multiport --destination-ports 53 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT</pre>
I’ve got a few more rules which I’ll hide (one allowing my home IP full access just in case!) but it’s fairly simple. Block everything, allow people to ping and do things like http/https/dns. I added the following line to my rules:
iptables -A INPUT -p tcp -s localhost --destination-port 21 -j ACCEPT
A fairly simple explanation is as follows:
- Add the following rule to this processing “chain”: (-A INPUT)
- Talking on: -p(rotocol) tcp
- From the: -s(ource) address of localhost
- Aiming at the: -destination-port 21 (FTP)
- Perform the following action: -j ACCEPT
Once you’ve done this (or to troubleshoot iptables) enter the command “iptables -L” (using sudo, or having elevated privileges):
$ sudo iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- localhost.localdomain anywhere tcp dpt:ftp
If you see the above - or similar, the “ACCEPT” line is the important one - you’ve setup the rule. Remember that other rules can affect the workings of this one. If it’s still not working, and you’re sure that your FTP server config is OK, try clearing the iptables rules entirely and progressively adding rules back until you break something. Happy coding!