I have to setup firewall rules for my onboard network(for list of device which are connected via eth0 interface) during boot up of Linux device.

By default all communication over eth0 should be disabled.

Then read configuration file (conf.xml) which contains ipaddress or URL or port those are only allowed to do communication means only whitelisted devices can do communication.

I have done it in following way but it not works as expected

Default - Disabled eth0 communication using

sudo iptables -A INPUT -i eth0 -j DROP

Then For example. enabled FTP access for a Specific IP mentioned in configuration file (conf.xml) using below command

iptables -A INPUT -p tcp -s --dport 21 -j ACCEPT

But i see eth0 communication is permanently disabled and it even not allow ipaddress to access FTP server.

Edit: As per answer i have modified script as below

Added below two lines at start

iptables -A INPUT -p tcp -s --dport 21 -i eth0 -j ACCEPT
iptables -A OUTPUT -p tcp -s --dport 21 -o eth0 -j ACCEPT

then added below two lines at the end of script

iptables -A INPUT -i eth0 -j DROP
iptables -A OUTPUT -o eth0 -j DROP

still i am facing issue to access of FTP using IP iptables -A INPUT -i eth0 -j DROP

1 Answer 1

  1. iptables rules are processed from top to bottom, and -A appends them at the bottom. If you start with a DROP rule that matches everything, then those packets will indeed get dropped immediately – they will never go through the subsequent ACCEPTs.

    So make sure your rules are added in the correct order – accept specific things before default-dropping everything. (If necessary, use -I to insert rules at the top of the chain, rather than bottom.)

    (But once you have a finalized ruleset, save/load the entire ruleset at once using iptables-save and iptables-restore; do not use scripts at that point.)

  2. FTP uses more than just port 21 – it uses separate data connections, which (in passive mode) are also inbound to the server, but on various random ports. You need to configure your FTP server for a specific port range and have an iptables ACCEPT rule for it, in addition to port 21.

  • Thanks sir for ur answer. I followed same procedure as you mention but still i am facing issue. See my updated question. Also can you please elaborate more about FTP uses more then one port? i know that 20 and 21 are used for active and passive connection but what are others and how to configure those? Commented Jul 5, 2022 at 10:19

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .