Re: Blocking FTP to external-network users

From: Alex Pope (pope@extrem.org)
Date: Mon Jan 31 2000 - 08:59:27 EST


On Mon, 31 Jan 2000, Daniel Zeaiter wrote:

> I have an FTP server setup on my RH6.1 K2.2.14 machine, but I wish to
> only allow computers on my local network (192.168.1.0) to access it. How
> is this possible? I figured maybe using IP Chains, but can you use that
> to block individual ports?
>
> Thanks in advance!
> Daniel Zeaiter.

The tcp_wrappers package allows you to monitor and filter incoming
requests for many network services, including ftp. It's probably already
installed on your machine. The wrapper itself is called tcpd and it uses
two config files - /etc/hosts.allow and /etc/hosts.deny. Usually
hosts.deny contains the "deny all" rule (all: all) - this denies all
service to all hosts, unless they are permitted access by entries in the
hosts.allow file. So in your case include the line

your_ftpservername_here: 192.168.1.

in hosts.allow and you'll be set. Also, check /etc/inetd.conf for similar
line:

ftp stream tcp nowait root /path/to/your/ftpserver

change it to

ftp stream tcp nowait root /path/to/tcpd /path/to/your/ftpserver

and give inetd a HUP.

as for ip spoofing, i think the right thing to do is:

ipchains -A input -j REJECT -i extif -s intlan -d universe -l

where extif is your external interface, intlan is your internal lan
network address (192.168.1.0/24), universe is 0.0.0.0/0

cheers,
alex

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu



This archive was generated by hypermail 2b29 : Mon Jan 31 2000 - 21:00:34 EST