From: "Christian Gmeiner" <christian@visual-page.de>
To: Daniel Chemko <dchemko@smgtec.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Problem with passiv FTP
Date: Wed, 25 Feb 2004 22:56:12 +0100 [thread overview]
Message-ID: <002701c3fbea$307db690$0600a8c0@blackbox> (raw)
In-Reply-To: 7C9884991ADAE0479C14F10C858BCDF567918C@alderaan.smgtec.com
----- Original Message -----
From: "Daniel Chemko" <dchemko@smgtec.com>
To: "Christian Gmeiner" <christian@visual-page.de>;
<netfilter@lists.netfilter.org>
Sent: Wednesday, February 25, 2004 10:31 PM
Subject: RE: Problem with passiv FTP
>
> Run these shell commands at boot, or any time before you want FTP to
> work properly
> modprobe ip_conntrack_ftp
> modprobe ip_nat_ftp
>
> For the an FTP server on the firewall itself, use
> # Allow anyone to inbound to the FTP server
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> # ALWAYS HAVE THIS RULE & FIRST IN LIST
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> For machines behind your firewall connecting to the internet, use
> # You should tighten up this rule a bit specifying -i
> <internal_interface_address> as well as the following
> iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
> # ALWAYS HAVE THIS RULE & FIRST IN LIST
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> For internet clients connecting to an internal server, use
> # This forwards the FTP request to the right internal FTP server
> iptables -t nat -A PREROUTING --destination
> <external_ftp_address> -p tcp --dport 21 -j DNAT --to
> <internal_ftp_server>
> # Allow traffic to DNAT'd IP address
> iptables -A FORWARD --destination <internal_ftp_server> -p tcp
> --dport 21 -j ACCEPT
> # ALWAYS HAVE THIS RULE & FIRST IN LIST
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> That is all!
I have chaned my ftp rules now to:
# Port 21
iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
#iptables -A OUTPUT -p tcp --dport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT
# aktiv - works
iptables -A INPUT -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j
ACCEPT
# passiv
iptables -A INPUT -p tcp --sport ${UNPRIVPORTS} --dport
${UNPRIVPORTS} -m state --state ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp --sport ${UNPRIVPORTS} --dport
{UNPRIVPORTS} -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
And active and passive ftp works :)
This rule allows all connections on every protocol and port., if the
connections was made bevore or it is related to an
other allows port. is this correct?
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Thanks, Christian Gmeiner
>
> PS: Never fck around with OUTPUT unless you're a pro.
> FORWARD goes through the firewall INPUT/OUTPUT are just for local
> firewall PC connections.
>
>
> Christian Gmeiner wrote:
> > Hi people.
> >
> > I got active FTP working, but i also need the passive one.
> >
> > Here is my stuff:
> >
> > # Port 21
> >
> > iptables -A INPUT -p tcp --sport 21 -m state --state
> > ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m
> > state --state NEW,ESTABLISHED -j ACCEPT
> >
> > # aktiv - works
> > iptables -A INPUT -p tcp --sport 20 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport
> > 20 -m state --state ESTABLISHED -j ACCEPT
> >
> > # passiv
> > iptables -A INPUT -p tcp --sport ${UNPRIVPORTS} --dport
> > ${UNPRIVPORTS} -m state --state ESTABLISHED -j ACCEPT iptables
> > -A OUTPUT -p tcp --sport ${UNPRIVPORTS} --dport ${UNPRIVPORTS} -m
> > state --state ESTABLISHED,RELATED -j ACCEPT
> >
> > I have everything set to drop and i am alowing this protocols and
> > ports:
> >
> > # TCP in+out
> > #
> > #
> > TCP_IN_OUT="ssh"
> >
> > # TCP out
> > #
> > # 5190 = ICQ
> > #
> > TCP_OUT="5190 http https 25 ftp ftp-data pop3 smtp"
> >
> > # TCP in
> > #
> > TCP_IN=""
> >
> > # UDP in+out
> > #
> > UDP_IN_OUT="domain ssh"
> >
> > # UDP out
> > #
> > #
> > UDP_OUT="https"
> >
> > # UDP in
> > #
> > UDP_IN=""
> >
> > UNPRIVPORTS="1024:65535"
> >
> > So.. i must now allow the UNPRIVPORTS, but how i am doing this?
> >
> > Thanks, Christian Gmeiner
>
next prev parent reply other threads:[~2004-02-25 21:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-02-25 21:31 Problem with passiv FTP Daniel Chemko
2004-02-25 21:56 ` Christian Gmeiner [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-02-25 21:00 Christian Gmeiner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002701c3fbea$307db690$0600a8c0@blackbox' \
--to=christian@visual-page.de \
--cc=dchemko@smgtec.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.