March 28, 2024, 10:37:02 PM

News : LinuxSolved.com Linux Help Community Forum..


Author Topic: access only LAN ips to FTP  (Read 10365 times)

Offline i_am_so_kittle

  • Linux Noob !
  • *
  • Posts: 8
access only LAN ips to FTP
« on: May 08, 2004, 06:15:48 AM »
dear friends

i have configured vsftp on redhat linux 9.0 for ftp server. but i want to restrict for IPs out of the LAN.

i want to only LAN ips can access to ftp server.

how can i configure it??

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
access only LAN ips to FTP
« Reply #1 on: May 08, 2004, 06:34:53 AM »
Ok make a iptables rule..
First block your ftp ports for every one.. or u can block it to outside world on.. I doing to block ftp port for every one then only opening it for internal network. ie the network connected to eth1
Code: [Select]
# below rule block any on from anywhere accessing the port 21 ie.. ftp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -j DROP    

# Now this rule will open ftp port for only LAN
 iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT  

I hope you know how to use iptables.. if not then see NAT how to  in "How to" section of LinuxSolved.com forums to get a idea!!

Offline i_am_so_kittle

  • Linux Noob !
  • *
  • Posts: 8
access only LAN ips to FTP
« Reply #2 on: May 08, 2004, 07:41:53 AM »
thank you Ricky

if i want to a rang ip from another network can access to ftp server what can i do?

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
access only LAN ips to FTP
« Reply #3 on: May 08, 2004, 09:36:33 AM »
Are you saying that what if you want some external client ie. public ip address to access your ftp ?
Ok then simply add a another line.. !! like..
Code: [Select]
iptables -A INPUT -p tcp -s <your trusted pucblic ip> -d 0/0 --dport 21 -j ACCEPT    I have not tested .. but it should work.. :)

Offline i_am_so_kittle

  • Linux Noob !
  • *
  • Posts: 8
access only LAN ips to FTP
« Reply #4 on: May 08, 2004, 11:09:15 AM »
dear Ricky

because of network tarffic!!!!
when i entered  these commands, all access from all computer lost!!!!!!!!!
 :(

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
access only LAN ips to FTP
« Reply #5 on: May 08, 2004, 11:32:20 AM »
Did u applied only above rules or any other with them ?
Also did u applied fisrt two only or all..

Lastly.. all type of access denied . not only ftp ?

Offline i_am_so_kittle

  • Linux Noob !
  • *
  • Posts: 8
access only LAN ips to FTP
« Reply #6 on: May 08, 2004, 11:44:42 AM »
i applied only these rules:

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -j DROP
iptables -A INPUT -p tcp -s X.X.X.X -d 0/0 --dport 21 -j ACCEPT

all clients can not connect to ftp server. only ftp

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
access only LAN ips to FTP
« Reply #7 on: May 08, 2004, 12:11:51 PM »
First of all you have to make a script which can delete old rules..  (if any)
and then apply our new rules. It so that we can avoid undesirable effect due to conjunction of new and old rules..

BTw. by applying above two rules you have blocked every one from using ftp then have allowed only x.x.x.x to access ur ftp.. but i suggest u to use network mask also.. like x.x.x.x/x .

Ok you do like this..
Code: [Select]
iptables=/sbin/iptables
iptables --flush -t nat
# below rule block any on from anywhere accessing the port 21 ie.. ftp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -j DROP    

# Now this rule will open ftp port for only LAN
 iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT  

# giving access to specific ip
iptables -A INPUT -p tcp -s <your trusted pucblic ip> -d 0/0 --dport 21 -j ACCEPT    

# likewise u can add more rules so that u can make ur firewall..  

Hope u got cleared..

Offline i_am_so_kittle

  • Linux Noob !
  • *
  • Posts: 8
access only LAN ips to FTP
« Reply #8 on: May 08, 2004, 12:54:42 PM »
Dear Ricky

i do it like you.But .....
it closes ftp connections between clients and server!!!
 :?

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
access only LAN ips to FTP
« Reply #9 on: May 08, 2004, 02:55:53 PM »
Can you tell me what is your local network connected to ?

Offline i_am_so_kittle

  • Linux Noob !
  • *
  • Posts: 8
access only LAN ips to FTP
« Reply #10 on: May 08, 2004, 03:23:20 PM »
we do not have any problem with LAN.
i think the first rule must edit.
something is wrong.

thanks Ricky

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
access only LAN ips to FTP
« Reply #11 on: May 08, 2004, 03:52:12 PM »
i asked you that on which eth is connected to LAN .. Here I assumed that your eth1 is connected to LAN.. say if your eth0 is connected to internet then we can make it something like.. ie.. instead of those two rules..
Code: [Select]
iptables -A INPUT -p tcp -i eth0 --dport 21 -j DROP
I think first rule is presedence over the second rule.. whatever.. NOw i have modified so that it only blocks ftp from internet.. ie eth0 so you don't need anything to allow your local network to access ftp as it was never blocked.

Offline i_am_so_kittle

  • Linux Noob !
  • *
  • Posts: 8
access only LAN ips to FTP
« Reply #12 on: May 12, 2004, 06:38:34 AM »
Dear friends

when clients want to contact to ftp server behind the proxy server,
receive error below:

Windows Cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder. Details: a connection with the server cannot be established

notes:
there is no firewall on ftp server and proxy server!
clients have invalid ip addresses

what is the problem

thanks

Offline Ricky

  • LST CareTaker
  • Specially Skilled
  • *****
  • Posts: 2381
access only LAN ips to FTP
« Reply #13 on: May 12, 2004, 07:05:29 AM »
R u sure your ftp daemon is running on ur linux ?

Offline i_am_so_kittle

  • Linux Noob !
  • *
  • Posts: 8
access only LAN ips to FTP
« Reply #14 on: May 12, 2004, 07:10:10 AM »
Dear Ricky

i can access ftp server by valid ip address with no proxy server!