Iptables for Blogger
I was looking around on my HD for a Iptables string I had to allow Blogger.com users to post to our servers
here it is
-A INPUT -s 66.102.15.83 -p tcp -m tcp –dport 1024:65535 -j ACCEPT
-A INPUT -s 216.34.7.186 -p tcp -m tcp –dport 1024:65535 -j ACCEPT
Technorati Tags: Blogger, blogs, Computers, firewall, iptables
I do not unterstand, how this should work. As i assume your standard policy is DENY for your iptables chains. But in what way this 2 rules will affect your intention?
the polarizer
these 2 rules will allow outbound port range 1024 to 65535 to be open for the ip’s
66.102.15.83
216.34.7.186
Wich are the blogger publishing ip’s .. this allows their FTP to login in PASV move .. PASV mode will open ports back on the range mentioned above.
Ahh! I misunderstood your term “post”. Under this new point of view i think your rules a too generous, because it is allowed to connect to every port
Ahh! I misunderstood your term “post”. Under this new point of view i think your rules a too generous, because it is allowed to connect to every port 0-1024, not only ftp pasv (tcp,21).
Check this[1] out for detailled instructions.
[1] http://slacksite.com/other/ftp.html#passive
polarizers 2cent
http://www.codixx.de/polarizer.html
it will alloww only those two ip’s to connect to any port on that range .. so unless blogger attacks you, you shoudl be ok 🙂
Since it is public now because of your blog, one can spoof the ip with ease :O)
yes .. but you assumign 2 things
1 – there are no other security measures in place
2 – that I gave a server IP were those rules are set (no, they not set on THIS server 😉 )
becides, a smart hacker knows those ports need to be open for blogger to publish, so they can just look for any blogger site and try to spoof that IP .. thats why additional security measures need to be taken, stuff like hardened php, mod_security, latest OpenSSH etc .. all part of keeping a server secured .. one can never just rely on the firewall.
I was wondering, is it necessary to open a range of ports?
Unfortunately, yes …
http://help.blogger.com/default/bin/answer.py?answer=105&query=firewall&topic=0&type=f
The proble is that their FTP publishing uses PASV (Passive) mode, but you can allways try this aproach instead if you using iptables
http://nullmind.com/2005/04/27/iptables-w-proftpd/