> Hi, > > Thanks i modified my firewall now it works for me. I made the following > entries: > > > :FORWARD ACCEPT [0:0] # Accept all forwarded packets. In my case there > is no NAT, so this is ok. > :INPUT DROP [0:0] # Drop all incoming packets. > :OUTPUT ACCEPT [0:0] # Accept all outgoing packets. So no traffic from my > server is blocked. Makes browsing the internet easier. > -A INPUT -s 80.242.234.70 -j ACCEPT # All packets from this ip are > accepted. This is my ip from where i manage my collocated server. > -A INPUT -s 127.0.0.1 -j ACCEPT # Some services use the loopback to > send/receive data. Leaving this entry away will cause some services to > crash. > -A INPUT -s 213.132.174.75 -j ACCEPT # See the line above. > -A INPUT -d 127.0.0.1 -j ACCEPT # See the line above. > -A INPUT -m state -d 213.132.174.75 --state ESTABLISHED,RELATED -j ACCEPT # > Because some services also listening on not only the loopback, but also on > the NIC. They need to send/receive data without blocked by the firewall. The > options ESTABLISHED,RELATED will prevent connections from the internet. Only > related connections or al ready made connections will be accepted. > -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT # Allow the internet make a > connection with the FTP data port. > -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT # Allow the internet make a > connection with the FTP control port. > -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT # Allow the internet make a > connection with the SMTP port. > -A INPUT -p udp -m udp --dport 53 -j ACCEPT # Allow the internet make a > connection with the DNS(UDP) port. > -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT # Allow the internet make a > connection with the DNS(TCP) port. > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # Allow the internet make a > connection with the HTTP port. > -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT # Allow the internet make a > connection with the POP3 port. > -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT # Allow the internet make a > connection with the HTTPS port. > -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT # Allow the internet make a > connection with the USERMIN port. > -A INPUT -p tcp -m tcp -m state --dport 60000:65000 --state > ESTABLISHED,RELATED -j ACCEPT # This is a special one. Some FTP clients use > FTP in passive mode. My FTP server is configurated to use the passive ports > between 60000 and 65000. Leaving this entry away will disable the passive > mode. To prevent the internet to use this ports to connect only a RELATED or > ESTABLISHED connection will accepted. So when no FTP is used this ports are > closed(stealth). > > All other services/protocols like NETBIOS, IMAP, ICMP, PING are blocked by > default. I have i made any misstakes please tell me.
I would make one suggestion. Do not use ftp if you can avoid it. If you have people that need to download files, put them in a sub-directory of your website and allow indexing for that sub-directory only. If you have people that have to upload, and they're known to you, give them an unprivileged account on your box and enable SSH (SCP is a secure ftp replacement that runs on top of ssh). If they are *not* known to you and still need to upload anonymously, you could create an anonymous account that is chrooted to a specific upload directory and that has no other rights anywhere else in the file system. Other and wiser heads on the list could help with those specifics. I'm not that good, yet. Ben -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
