Re: how to set ports for ip_conntrack_ftp

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jonas Meurer <jonas@freesources.org>
To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Cc: Netfilter-Users <netfilter@lists.netfilter.org>
Subject: Re: how to set ports for ip_conntrack_ftp
Date: Fri, 1 Sep 2006 03:20:55 +0200	[thread overview]
Message-ID: <20060901012054.GB23094@freesources.org> (raw)
In-Reply-To: <44F711D4.5090002@plouf.fr.eu.org>

On 31/08/2006 Pascal Hambourg wrote:
> >in other words, this module is unusable for ftpservers on non-standard
> >ports, if it's compiled into the kernel?
> 
> Well, I guess you can edit the default port list in the kernel source 
> before compiling.

no, i didn't find any way to do this.

> >how can i open the ports for those ftp-servers without using
> >ip_conntrack_ftp?
> 
> There is a workaround, which requires that the FTP server software be 
> "cooperative". For instance, it must be able to set a range of local 
> ports to use for data transfer connections in passive mode.

i don't know wether the zope ftp-servers support this.

> >iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
> >	-m multiport -p tcp --dports 9621,9721 \
> >	-d **.**.***.**/31 -j ACCEPT
> >
> >iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
> >	-m multiport -p tcp --sports 9621,9721 \
> >	-d **.**.***.**/31 -j ACCEPT
> >
> >iptables -A OUTPUT -o eth0 -m state --state NEW \
> >	-m multiport -p tcp --sports 9620,9720 \
> >	-d **.**.***.**/31 -j ACCEPT
> 
> What do the "-d **.**.***.**/31" address ranges represent ?

it is 62.75.128.98/31, which should be 62.75.128.98 and 62.75.128.99.

> >but obviously this doesn't work. i still cannot connect to the
> >ftpservers on port 9621 and 9721. what am i missing?
> 
> The first two rules may allow to establish an incoming control 
> connection, although the RELATED state is not needed. But the third rule 
> is not sufficient to allow the server to establish an outgoing data 
> connection in active mode. You need to add the ESTABLISHED state to 
> allow outgoing packets once the connection is established. You also need 
> to create another rule in the INPUT chain as its counterpart for the 
> return traffic, in the ESTABLISHED state.

how would this look like?

let's say, ftp-servers are on port 9621 and 9721. then i need to open
9620 and 9720 as well for ftp, correct?

so what i am missing here:
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
  -m multiport -p tcp --dports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
  -m multiport -p tcp --sports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
  -m multiport -p tcp --dports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESABLISHED \
  -m multiport -p tcp --sports 9620,9720 -d 62.75.128.98/31 -j ACCEPT


after using exactly these commands, i'm still not able to connect to the
ftp-servers.

if i try to login with lftp, it says [Connecting...], then
[FEAT negotation...] and then it hangs forever at
[Making data connection...].

ftp login from localhost works perfectly well, so the ftp-server is not
the problem here.

...
 jonas

next prev parent reply	other threads:[~2006-09-01  1:20 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-31 15:11 how to set ports for ip_conntrack_ftp Jonas Meurer
     [not found] ` <000601c6cd14$e07a28a0$0101000a@tanjian>
2006-08-31 15:57   ` 'Jonas Meurer'
2006-08-31 16:28     ` Rob Sterenborg
2006-09-01  7:24       ` Jan Engelhardt
2006-08-31 16:44     ` Pascal Hambourg
2006-09-01  1:20       ` Jonas Meurer [this message]
2006-09-01  2:22         ` Pascal Hambourg
2006-09-02 14:27           ` Jonas Meurer
2006-09-02 15:17             ` Pascal Hambourg
2006-09-03 16:29               ` Jonas Meurer
2006-09-03 17:35                 ` Pascal Hambourg
2006-08-31 17:30 ` Damjan
2006-08-31 22:48   ` Jonas Meurer
2006-09-01  5:59     ` Rob Sterenborg
2006-09-02 14:29       ` Jonas Meurer
2006-09-02 15:16         ` Steffen Heil
2006-09-02 16:14         ` Rob Sterenborg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060901012054.GB23094@freesources.org \
    --to=jonas@freesources.org \
    --cc=netfilter@lists.netfilter.org \
    --cc=pascal.mail@plouf.fr.eu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.