I have a Fedora server which users must be able to FTP to. I do not want to allow any arbitrary outbound connections like HTTP, SSH, etc in case a vulnerable PHP/CGI app gets hacked.
With a couple iptables rules and modproble ip_conntrack/ip_contrack_ftp FTP works fine. But here's the problem: it seems as though the "official" Redhat-ish way of saving your firewall ruleset is doing an "iptables-save >/etc/sysconfig/iptables?"
Apparently this allows you to do things like "service iptables restart." That's all fine, but my firewall script's "modprobe" statements aren't being saved, which obviously means FTP won't work.
Any suggestions? Of course I can just run the firewall.sh file at boot and manually if need be, but is there a more "standard" approach?
Thanks, hostingmaniac. So if I wanted to save these rules, I run:
iptables-save > /etc/sysconfig/iptables
service iptables restart.
(I want users to be able to FTP to my box after I reboot...) The problem is, the ip_conntrack_ftp module isn't saved. I guess I should just run the .sh file (your above script) via rc.local instead of dealing with the Redhat iptables "services"
When I load your rules, this is what iptables-save stores:
# Generated by iptables-save v1.3.0 on Sat Sep 16 01:52:00 2006
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [277970:28772703]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Completed on Sat Sep 16 01:52:00 2006
There is no need to put the script under rc.local, if you have saved those rulesets in /etc/sysconfig/iptables. It should read even after the server gets rebooted. Please enable iptables on the redhat box by using the command