How to block FTP access from WAN on RT-N66U

[mberteotti]

I've a RT-N66U with 3.0.0.4.374.35_4 FW. I'd like to use FTP only on intranet and should be not accessible from WAN. How can I do that? By default FTP is accessible from WAN (port 21 is open on WAN).

For example on rt-n56u ther is a switch that turns access to FTP server from WAN on/off... Not found in RT-N66U.

Thank you.

Marco B.

 

[burtal]

under usb application > media server > ftp share disable FPT

and enable only the one under network places (samba)

 

[mberteotti]

under usb application > media server > ftp share disable FPT

and enable only the one under network places (samba)

Yes, but this disables FTP completely and FTP doesn't work in intranet too (no LAN and no WAN ftp server at all).

Thanks.

Marco

 

[burtal]

hmm that does it for me , i have those settings and the sharing works only on LAN

do you have share with an account enabled on samba part?

what build do you have? i have 3.0.0.4.374.38_2-em

 

[mberteotti]

hmm that does it for me , i have those settings and the sharing works only on LAN

do you have share with an account enabled on samba part?

what build do you have? i have 3.0.0.4.374.38_2-em

I've share SAMBA share enabled with no account (anonymous). Samba share works perfectly, no access from WAN only from LAN. I've 3.0.0.4.374.35_4 build, waiting for a FW release that has -EM switch integrated and default not exeperimental.

Thank you!!

Marco B.

 

[burtal]

Samba share works perfectly, no access from WAN only from LAN.
Thank you!!

Marco B.

so where is the problem? i though that is what you want, right?

 

[mberteotti]

so where is the problem? i though that is what you want, right?

No.

I need FTP and SAMBA too, SAMBA works ok but FTP, if enabled, is opened to WAN and I don't want it. Sorry for my English, probably I can't explain myself correctly.

Marco

 

[burtal]

oh, ok i understand what you say ......
i dont know if is possible and if it is i dont know if can be done from the web interface....might need some scripting with which i cannot help you

maybe someone can make you a script or give you some firewall rules that will cut off the port21 connection to wan

for my curiosity why do you need a lan FTP when samba performs exactly the same function ?

 

[mberteotti]

oh, ok i understand what you say ......
i dont know if is possible and if it is i dont know if can be done from the web interface....might need some scripting with which i cannot help you

maybe someone can make you a script or give you some firewall rules that will cut off the port21 connection to wan

for my curiosity why do you need a lan FTP when samba performs exactly the same function ?

I've a couple of IP cameras that can write only to an FTP server (when triggered by a motion detection) not to a SAMBA server unfortunately.

Bye.

 

[burtal]

maybe this can help you

http://forums.smallnetbuilder.com/showthread.php?t=8833

if not wait for the more experienced guys to give you a solution

 

[mberteotti]

maybe this can help you

http://forums.smallnetbuilder.com/showthread.php?t=8833

if not wait for the more experienced guys to give you a solution

Thank you, doesn't help unfortunately...

Bye.

Marco

 

[octopus]

Try this rule to block port 21 from wan:

iptables -I INPUT --dport 21 -j DROP

 

[sinshiva]

Try this rule to block port 21 from wan:

iptables -I INPUT --dport 21 -j DROP

without specifying the wan interface, i think that would drop port 21 traffic from the lan, too.

so, something like;

iptables -I INPUT -i eth0 -p tcp --dport 21 -j DROP

i have been using /jffs/scripts/firewall-start for these rules. well, for filtering outgoing ports.

for that, i use:

iptables -I FORWARD -p tcp --dport 21 -j DROP

to drop outgoing requests to an ftp server on the internet, for example.

make sure the script starts with

#!/bin/sh

and use chmod a+rx /jffs/scripts/* when you're done

 

[EronRackzak]

As there are different ways to accomplish things, these are the couple ones that have worked for me.

iptables -I INPUT -p tcp --destination-port 21 -j DROP
iptables -I INPUT -p tcp --destination-port 21 --source `nvram get lan_ipaddr`/`nvram get lan_netmask` -j ACCEPT

 

[mberteotti]

Thank you very much! I'll try immediately...

Bye.

Marco

 

[mberteotti]

As there are different ways to accomplish things, these are the couple ones that have worked for me.

iptables -I INPUT -p tcp --destination-port 21 -j DROP
iptables -I INPUT -p tcp --destination-port 21 --source `nvram get lan_ipaddr`/`nvram get lan_netmask` -j ACCEPT

Great! These work for me too. Now I can access FTP from LAN and not from WAN!

Sinshiva is right:using "iptables -I INPUT --dport 21 -j DROP" all FTP call are dropped not only WAN ones. But his command "iptables -I INPUT -i eth0 -p tcp --dport 21 -j DROP" doesn't work. etho is the WAN interface?

Thank you EronRackzak AMD Sinshiva

 

[sinshiva]

if inserting didn't work, try appending, sorry;

iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP

 

[mberteotti]

if inserting didn't work, try appending, sorry;

iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP

Doesn't work... Are you sure that eth0 is WAN interface?

Inviato dal mio Nexus 4 utilizzando Tapatalk

 

[sinshiva]

ah, maybe not. it might work differently with PPPoE, if that's what you're using. post the output of;

ifconfig -a

 

[mberteotti]

ah, maybe not. it might work differently with PPPoE, if that's what you're using. post the output of;

ifconfig -a

Active Interfaces:
br0
eth0
eth1
eth2
lo
ppp0
tun21
vlan1



Inviato dal mio Nexus 4 utilizzando Tapatalk