配置vsftpd+iptable的方法

由于FTP采用被动方式，所以1024以上的数据传输端口是随机的，这样面临的问题是iptable不能够指定相应的开放端口，我采用的方法是把

VSFTPD的PASV的数据传输端口加以限定，然后开放iptable的相应端口，具体配置文件如下：

vsftpd.conf:

pasv_min_port=YES

pasv_max_port=65530

pasv_min_port=65520

local_root=/home/ftp

max_per_ip=2

#local_max_rate=2000000

#chown_uploads=yes

#chown_username=root

pam_service_name=vsftpd

userlist_enable=YES

userlist_deny=NO

#enable for standalone mode

listen=YES

tcp_wrappers=YES

iptables:

[root@IhepTest ftp]# more /etc/sysconfig/iptables

# Generated by iptables-save v1.2.8 on Fri Jan 19 15:53:31 2007

*filter

:INPUT ACCEPT [0:0]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [3207:1174055]

:LUZHIGANG - [0:0]

:RH-Firewall-1-INPUT - [0:0]

-A INPUT -j LUZHIGANG

-A INPUT -j RH-Firewall-1-INPUT

-A FORWARD -j RH-Firewall-1-INPUT

-A LUZHIGANG -p tcp -m tcp --sport 65520:65530 -j ACCEPT

-A LUZHIGANG -p tcp -m tcp --dport 65520:65530 -j ACCEPT

-A LUZHIGANG -p tcp -m tcp --dport 3128 -j ACCEPT

-A LUZHIGANG -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

-A RH-Firewall-1-INPUT -p icmp -m icmp any -j ACCEPT

-A RH-Firewall-1-INPUT -p esp -j ACCEPT

-A RH-Firewall-1-INPUT -p ah -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -m state --state NEW -j ACCEPT

-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT

# Completed on Fri Jan 19 15:53:31 2007

本文地址：http://www.45fan.com/a/question/72704.html