Linux笔记-ftp主动和被动模式下iptables的规则配置

x33g5p2x  于2022-03-31 转载在 Linux  
字(2.2k)|赞(0)|评价(0)|浏览(717)

服务端准备

首先安装vsftpd:

yum -y install vsftpd

启动服务:

systemctl start vsftpd.service

配置文件目录在:/etc/vsftpd/vsftpd.conf

默认情况下,他是开启匿名访问的:

客户端准备

安装ftp

yum -y install ftp

ftp主动模式

客户端使用主动模式:

主要命令:

ftp ip地址
passive

运行

[root@bogon ~]# ftp 192.168.65.81
Connected to 192.168.65.81 (192.168.65.81).
220 (vsFTPd 3.0.2)
Name (192.168.65.81:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode off.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.
ftp>

服务端iptables配置

iptables -I INPUT -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -p icmp -j ACCEPT
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j REJECT

查看iptables链

[root@bogon ~]# iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:21
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@bogon ~]#

ftp被动模式

按照上面的配置方式使用客户端被动模式时出现下面的情形:

[root@bogon ~]# ftp 192.168.65.81
Connected to 192.168.65.81 (192.168.65.81).
220 (vsFTPd 3.0.2)
Name (192.168.65.81:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 
ftp> 
ftp> ls
227 Entering Passive Mode (192,168,65,81,69,202).
ftp: connect: 拒绝连接
ftp>

方法一:为vsftp指定数据端口,并通过iptables开放相应需要传输的端口段

vim /etc/vsftpd/vsftpd.conf

配置iptables

iptables -I INPUT -p tcp --dport 50000:60000 -j ACCEPT

就可以了:

[root@localhost ~]# ftp 192.168.201.81
Connected to 192.168.201.81 (192.168.201.81).
220 (vsFTPd 3.0.2)
Name (192.168.201.81:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,201,81,223,165).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0               6 Jun 09  2021 pub
226 Directory send OK.
ftp>

方法二:使用连接追踪模块。

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#临时
modprobe nf_conntrack_ftp
#开机自启
vim /etc/sysconfig/iptables-config
IPTABLES_MODULES="nf_conntrack_ftp"

相关文章