FTP to localhost and iptables firewall

I had an issue recently where I needed to allow FTP access to a server, as WordPress is a lot happier if you can allow it to (S)FTP to the account to do things. I didn’t want to allow it to clients outside the server, so I had to muck around with the iptables-based firewall I have. To work out what rules I had setup on startup, I checked out the script I have setup on startup on my linux host.

iptables -P INPUT DROP iptables -P FORWARD DROP
iptables -A INPUT -p tcp -m multiport --destination-ports (list of ports) -j ACCEPT
iptables -A INPUT -p udp -m multiport --destination-ports 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT</pre>

I’ve got a few more rules which I’ll hide (one allowing my home IP full access just in case!) but it’s fairly simple. Block everything, allow people to ping and do things like http/https/dns. I added the following line to my rules:

iptables -A INPUT -p tcp -s localhost --destination-port 21 -j ACCEPT

A fairly simple explanation is as follows:

  • Add the following rule to this processing “chain”: (-A INPUT)
  • Talking on: -p(rotocol) tcp
  • From the: -s(ource) address of localhost
  • Aiming at the: -destination-port 21 (FTP)
  • Perform the following action: -j ACCEPT

Once you’ve done this (or to troubleshoot iptables) enter the command “iptables -L” (using sudo, or having elevated privileges):

$ sudo iptables -L
Chain INPUT (policy DROP) target prot opt source destination
ACCEPT tcp -- localhost.localdomain anywhere tcp dpt:ftp

If you see the above - or similar, the “ACCEPT” line is the important one - you’ve setup the rule. Remember that other rules can affect the workings of this one. If it’s still not working, and you’re sure that your FTP server config is OK, try clearing the iptables rules entirely and progressively adding rules back until you break something. Happy coding!

#firewall #FTP #iptables #Linux #Ubuntu #Wordpress