In the practical work, can use the following script erect a very safe internal FTP server. Of course can also support the Wireshark understanding of passive and active VSFTPD distinction, with the machine 192.168.0.18 as an example, the script is as follows:
#! / bin/bash
Iptables - F
Iptables - X
Iptables - Z
Iptables - t NAT - F
Iptables - t NAT - X
Iptables - t NAT - Z
# open IP forwarding function
Echo "1" > / proc/sys/asp.net/ipv4 / ip_forward
# loading some module function FTP need
Modprobe ip_conntrack_ftp
Modprobe ip_conntrack - TFTP
Modprobe ip_nat_ftp
Modprobe ip_nat_tftp
# to safer, will OUTPUT defaults defined as DROP
Iptables - P INPUT DROP
Iptables - P OUTPUT DROP
Iptables - P ACCEPT FORWARD
Open the machine lo # ring back orifice, the proposal is open, not open to appear some puzzling problem
Iptables - A INPUT - I ACCEPT lo - j
Iptables - A OUTPUT - o ACCEPT lo - j
# below the script is the key, VSFTPD erection safety after two sentences scripts are release server to the client response and has established connection packets, because of passive FTP is more complex, six times shake hands, so here using the state to do
Iptables - A INPUT - s 192.168.0.0/24 - p TCP - 21 - j dport ACCEPT
Iptables - A OUTPUT - d 192.168.0.0/24 - p TCP - 21 - j could ACCEPT
Iptables - A INPUT state - state - m, ACCEPT those youve built A relationship - j
Iptables - A OUTPUT - state - state, those m youve built A relationship - j ACCEPT