Welcome to NullMind's Lair, the blog of a cranky Web Hosting Geek

Iptables for Blogger

I was looking around on my HD for a Iptables string I had to allow Blogger.com users to post to our servers

here it is

-A INPUT -s 66.102.15.83 -p tcp -m tcp –dport 1024:65535 -j ACCEPT
-A INPUT -s 216.34.7.186 -p tcp -m tcp –dport 1024:65535 -j ACCEPT

Technorati Tags: , , , ,

This entry was posted on Monday, October 10th, 2005 at 6:38 pm and is filed under Computers / Internet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “Iptables for Blogger”

  1. polarizer says:
    October 11, 2005 at 8:43 am

    I do not unterstand, how this should work. As i assume your standard policy is DENY for your iptables chains. But in what way this 2 rules will affect your intention?

    the polarizer

  2. nullmind says:
    October 11, 2005 at 7:18 pm

    these 2 rules will allow outbound port range 1024 to 65535 to be open for the ip’s

    66.102.15.83
    216.34.7.186

    Wich are the blogger publishing ip’s .. this allows their FTP to login in PASV move .. PASV mode will open ports back on the range mentioned above.

  3. polarizer says:
    October 17, 2005 at 10:33 am

    Ahh! I misunderstood your term “post”. Under this new point of view i think your rules a too generous, because it is allowed to connect to every port

  4. polarizer says:
    October 17, 2005 at 10:35 am

    Ahh! I misunderstood your term “post”. Under this new point of view i think your rules a too generous, because it is allowed to connect to every port 0-1024, not only ftp pasv (tcp,21).

    Check this[1] out for detailled instructions.

    [1] http://slacksite.com/other/ftp.html#passive

    polarizers 2cent
    http://www.codixx.de/polarizer.html

  5. nullmind says:
    October 17, 2005 at 10:45 am

    it will alloww only those two ip’s to connect to any port on that range .. so unless blogger attacks you, you shoudl be ok :)

  6. polarizer says:
    October 17, 2005 at 11:30 am

    Since it is public now because of your blog, one can spoof the ip with ease :O)

  7. nullmind says:
    October 17, 2005 at 12:22 pm

    yes .. but you assumign 2 things

    1 – there are no other security measures in place

    2 – that I gave a server IP were those rules are set (no, they not set on THIS server ;) )

    becides, a smart hacker knows those ports need to be open for blogger to publish, so they can just look for any blogger site and try to spoof that IP .. thats why additional security measures need to be taken, stuff like hardened php, mod_security, latest OpenSSH etc .. all part of keeping a server secured .. one can never just rely on the firewall.

  8. Andrew Suares says:
    October 21, 2005 at 4:51 pm

    I was wondering, is it necessary to open a range of ports?

  9. nullmind says:
    October 21, 2005 at 5:01 pm

    Unfortunately, yes …

    http://help.blogger.com/default/bin/answer.py?answer=105&query=firewall&topic=0&type=f

    The proble is that their FTP publishing uses PASV (Passive) mode, but you can allways try this aproach instead if you using iptables

    http://nullmind.com/2005/04/27/iptables-w-proftpd/

Leave a Reply