iptables场景二——ftp主动模式

一 配置说明

1、ftp连接的默认模式为被动模式

2、vsftpd服务支持主动模式需要注意配置选项

port_enable=yes

connect_from_port_20=YES

3、iptables需要开启21端口的访问权限

iptables -I INPUT -p tcp -dport 21 -j ACCEPT

 

二 配置方法

1、配置前准备

[root@localhost ~]# vim /etc/vsftpd/vsftpd.conf

43 port_enable=yes

44 connect_from_port_20=YES

[root@localhost ~]# systemctl restart vsftpd.service

[root@localhost ~]# systemctl status vsftpd.service

?.vsftpd.service - Vsftpd ftp daemon

Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled; vendor preset: disabled)

Active: active (running) since Sat 2017-08-19 10:27:10 CST; 17s ago

Process: 6918 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)

Main PID: 6920 (vsftpd)

CGroup: /system.slice/vsftpd.service

?..6920 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

 

Aug 19 10:27:10 localhost.localdomain systemd[1]: Starting Vsftpd ftp daemon...

Aug 19 10:27:10 localhost.localdomain systemd[1]: Started Vsftpd ftp daemon.

[root@localhost ~]# iptables -F

2、配置前测试

[root@localhost Packages]# ftp 192.168.0.103

Connected to 192.168.0.103 (192.168.0.103).

220 (vsFTPd 3.0.2)

Name (192.168.0.103:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,0,103,178,168).

150 Here comes the directory listing.

drwxr-xr-x 2 0 0 6 Nov 05 2016 pub

226 Directory send OK.

ftp> passive

Passive mode off.

3、开始配置

[root@localhost Packages]# iptables -I INPUT -p tcp --dport 21 -j ACCEPT

[root@localhost Packages]# iptables -I INPUT -p tcp --dport 22 -j ACCEPT

[root@localhost Packages]# iptables -I INPUT -p icmp -j ACCEPT

[root@localhost Packages]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

[root@localhost Packages]# iptables -A INPUT -j REJECT

[root@localhost Packages]# iptables -nL

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

4、配置后在192.168.0.108上进行测试

[root@localhost ~]# iptables -F

[root@localhost ~]# ftp 192.168.0.103

Connecting to 192.168.0.108:22...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

 

Last login: Sat Aug 19 11:41:25 2017 from 192.168.0.104

[root@localhost ~]# ftp 192.168.0.103

Connected to 192.168.0.103 (192.168.0.103).

220 (vsFTPd 3.0.2)

Name (192.168.0.103:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,0,103,195,18).

ftp: connect: Connection refused

ftp> passive

Passive mode off.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x 2 0 0 6 Nov 05 2016 pub

226 Directory send OK.