access only LAN ips to FTP

[i_am_so_kittle]

dear friends

i have configured vsftp on redhat linux 9.0 for ftp server. but i want to restrict for IPs out of the LAN.

i want to only LAN ips can access to ftp server.

how can i configure it??

[Ricky]

Ok make a iptables rule..
First block your ftp ports for every one.. or u can block it to outside world on.. I doing to block ftp port for every one then only opening it for internal network. ie the network connected to eth1

Code: [Select]

# below rule block any on from anywhere accessing the port 21 ie.. ftp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -j DROP    

# Now this rule will open ftp port for only LAN
 iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT  

I hope you know how to use iptables.. if not then see NAT how to  in "How to" section of LinuxSolved.com forums to get a idea!!

[i_am_so_kittle]

thank you Ricky

if i want to a rang ip from another network can access to ftp server what can i do?

[Ricky]

Are you saying that what if you want some external client ie. public ip address to access your ftp ?
Ok then simply add a another line.. !! like..

Code: [Select]

iptables -A INPUT -p tcp -s <your trusted pucblic ip> -d 0/0 --dport 21 -j ACCEPT    I have not tested .. but it should work..

[i_am_so_kittle]

dear Ricky

because of network tarffic!!!!
when i entered  these commands, all access from all computer lost!!!!!!!!!
 

[Ricky]

Did u applied only above rules or any other with them ?
Also did u applied fisrt two only or all..

Lastly.. all type of access denied . not only ftp ?

[i_am_so_kittle]

i applied only these rules:

iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -j DROP
iptables -A INPUT -p tcp -s X.X.X.X -d 0/0 --dport 21 -j ACCEPT

all clients can not connect to ftp server. only ftp

[Ricky]

First of all you have to make a script which can delete old rules..  (if any)
and then apply our new rules. It so that we can avoid undesirable effect due to conjunction of new and old rules..

BTw. by applying above two rules you have blocked every one from using ftp then have allowed only x.x.x.x to access ur ftp.. but i suggest u to use network mask also.. like x.x.x.x/x .

Ok you do like this..

Code: [Select]

iptables=/sbin/iptables
iptables --flush -t nat
# below rule block any on from anywhere accessing the port 21 ie.. ftp
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -j DROP    

# Now this rule will open ftp port for only LAN
 iptables -A INPUT -p tcp -i eth1 --dport 21 -j ACCEPT  

# giving access to specific ip
iptables -A INPUT -p tcp -s <your trusted pucblic ip> -d 0/0 --dport 21 -j ACCEPT    

# likewise u can add more rules so that u can make ur firewall..  
Hope u got cleared..

[i_am_so_kittle]

Dear Ricky

i do it like you.But .....
it closes ftp connections between clients and server!!!
 :?

[Ricky]

Can you tell me what is your local network connected to ?

[i_am_so_kittle]

we do not have any problem with LAN.
i think the first rule must edit.
something is wrong.

thanks Ricky

[Ricky]

i asked you that on which eth is connected to LAN .. Here I assumed that your eth1 is connected to LAN.. say if your eth0 is connected to internet then we can make it something like.. ie.. instead of those two rules..

Code: [Select]

iptables -A INPUT -p tcp -i eth0 --dport 21 -j DROP
I think first rule is presedence over the second rule.. whatever.. NOw i have modified so that it only blocks ftp from internet.. ie eth0 so you don't need anything to allow your local network to access ftp as it was never blocked.

[i_am_so_kittle]

Dear friends

when clients want to contact to ftp server behind the proxy server,
receive error below:

Windows Cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder. Details: a connection with the server cannot be established

notes:
there is no firewall on ftp server and proxy server!
clients have invalid ip addresses

what is the problem

thanks

[Ricky]

R u sure your ftp daemon is running on ur linux ?

[i_am_so_kittle]

Dear Ricky

i can access ftp server by valid ip address with no proxy server!