ftp connection tracking on multiple ports

ftp connection tracking on multiple ports

[Mohamed Eldesoky]

Dear all,

I have a server that runs FTP on two ports, port 21 and port 45 (for
strange reasons)
Now, i want conntrack to track the connections of both ports and their
data ports !!

I did that in my firewall script
/sbin/modprobe ip_conntrack_ftp ports=21,45
$IPTABLES -A linweb_chain -p tcp -m multiport --destination-port
80,21,45 -j ACCEPT

Is that all I need ??

-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: ftp connection tracking on multiple ports

[George Alexandru Dragoi]

Make sure you accept the packets in the RELATED and ESTABLISHED state.


On Thu, 28 Oct 2004 12:18:24 +0200, Mohamed Eldesoky
<eldesoky.lists@gmail.com> wrote:
> Dear all,
> 
> I have a server that runs FTP on two ports, port 21 and port 45 (for
> strange reasons)
> Now, i want conntrack to track the connections of both ports and their
> data ports !!
> 
> I did that in my firewall script
> /sbin/modprobe ip_conntrack_ftp ports=21,45
> $IPTABLES -A linweb_chain -p tcp -m multiport --destination-port
> 80,21,45 -j ACCEPT
> 
> Is that all I need ??
> 
> --
> Mohamed Eldesoky
> www.eldesoky.net
> RHCE
> 
> 


-- 
Bla bla

Re: ftp connection tracking on multiple ports

[Mohamed Eldesoky]

I do
But it doesn't work when doing ftp host 45 then do ls
it hangs there !!


On Thu, 28 Oct 2004 13:21:45 +0300, George Alexandru Dragoi
<waruiinu@gmail.com> wrote:
> Make sure you accept the packets in the RELATED and ESTABLISHED state.
> 
> On Thu, 28 Oct 2004 12:18:24 +0200, Mohamed Eldesoky
> 
> 
> <eldesoky.lists@gmail.com> wrote:
> > Dear all,
> >
> > I have a server that runs FTP on two ports, port 21 and port 45 (for
> > strange reasons)
> > Now, i want conntrack to track the connections of both ports and their
> > data ports !!
> >
> > I did that in my firewall script
> > /sbin/modprobe ip_conntrack_ftp ports=21,45
> > $IPTABLES -A linweb_chain -p tcp -m multiport --destination-port
> > 80,21,45 -j ACCEPT
> >
> > Is that all I need ??
> >
> > --
> > Mohamed Eldesoky
> > www.eldesoky.net
> > RHCE
> >
> >
> 
> 
> --
> Bla bla
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: ftp connection tracking on multiple ports

[Jason Opperisano]

On Thu, 2004-10-28 at 06:18, Mohamed Eldesoky wrote:
> Dear all,
> 
> I have a server that runs FTP on two ports, port 21 and port 45 (for
> strange reasons)
> Now, i want conntrack to track the connections of both ports and their
> data ports !!
> 
> I did that in my firewall script
> /sbin/modprobe ip_conntrack_ftp ports=21,45
> $IPTABLES -A linweb_chain -p tcp -m multiport --destination-port
> 80,21,45 -j ACCEPT
> 
> Is that all I need ??

iptables -A linweb_chain -m helper --helper ftp -j ACCEPT

-j

-- 
Jason Opperisano <opie@817west.com>

Re: ftp connection tracking on multiple ports

[Mohamed Eldesoky]

Well, I did that before posting to the list.
Now I doubt it is a networking problem !!! there are reasons to doubt.


On Thu, 28 Oct 2004 08:41:29 -0400, Jason Opperisano <opie@817west.com> wrote:
> On Thu, 2004-10-28 at 06:18, Mohamed Eldesoky wrote:
> 
> 
> > Dear all,
> >
> > I have a server that runs FTP on two ports, port 21 and port 45 (for
> > strange reasons)
> > Now, i want conntrack to track the connections of both ports and their
> > data ports !!
> >
> > I did that in my firewall script
> > /sbin/modprobe ip_conntrack_ftp ports=21,45
> > $IPTABLES -A linweb_chain -p tcp -m multiport --destination-port
> > 80,21,45 -j ACCEPT
> >
> > Is that all I need ??
> 
> iptables -A linweb_chain -m helper --helper ftp -j ACCEPT
> 
> -j
> 
> --
> Jason Opperisano <opie@817west.com>
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

RE: ftp connection tracking on multiple ports

[Sneppe Filip]

Mohamed Eldesoky wrote:
 
>I do
>But it doesn't work when doing ftp host 45 then do ls
>it hangs there !!

Hi,

Don't forget you also need to add the ports for the nat helper:

modprobe ip_nat_ftp ports=21,45

(If ip_nat_ftp is already loaded, you need to rmmod the module first 
and then load it again - same thing with ip_conntrack_ftp if you change 
a kernel module parameter)

Regards,
Filip

Re: ftp connection tracking on multiple ports

[Mohamed Eldesoky]

I don't use natting, do I still need that helper ???


On Thu, 28 Oct 2004 12:40:37 +0200, Sneppe Filip <filip.sneppe@uptime.be> wrote:
> Mohamed Eldesoky wrote:
> 
> >I do
> >But it doesn't work when doing ftp host 45 then do ls
> >it hangs there !!
> 
> Hi,
> 
> Don't forget you also need to add the ports for the nat helper:
> 
> modprobe ip_nat_ftp ports=21,45
> 
> (If ip_nat_ftp is already loaded, you need to rmmod the module first
> and then load it again - same thing with ip_conntrack_ftp if you change
> a kernel module parameter)
> 
> Regards,
> Filip
> 
> 


-- 
Mohamed Eldesoky
www.eldesoky.net
RHCE

Re: ftp connection tracking on multiple ports

[Jose Maria Lopez]

El jue, 28 de 10 de 2004 a las 13:10, Mohamed Eldesoky escribió:
> I don't use natting, do I still need that helper ???

You just need the ip_conntrack_ftp.o helper.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"