All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] ip_conntrack_ftp
@ 2004-05-10 19:45 raptor
  2004-05-10 20:37 ` Andy Furniss
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: raptor @ 2004-05-10 19:45 UTC (permalink / raw)
  To: lartc

As read here :
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html

modprobe ip_conntrack_ftp
would give me the ability to use active ftp if I have (pseudo/simplified code)

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j DROP

but I cant use active ftp, WHAT IS WRONG..  eth0 is the internal interface..

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] ip_conntrack_ftp
  2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
@ 2004-05-10 20:37 ` Andy Furniss
  2004-05-11  7:09 ` raptor
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: Andy Furniss @ 2004-05-10 20:37 UTC (permalink / raw)
  To: lartc

raptor wrote:
> As read here :
> http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
> 
> modprobe ip_conntrack_ftp
> would give me the ability to use active ftp if I have (pseudo/simplified code)
> 
> iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -j DROP
> 
> but I cant use active ftp, WHAT IS WRONG..  eth0 is the internal interface..
> 

If you are NATing use ip_nat_ftp aswell.

Not sure that that firewall rule is OK - but then I don't know what else 
you have.

My firewall is a direct copy and paste from one of rustys guides - ppp0 
is my external interface -

## Create chain which blocks new connections, except if coming from inside.

iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

Andy.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] ip_conntrack_ftp
  2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
  2004-05-10 20:37 ` Andy Furniss
@ 2004-05-11  7:09 ` raptor
  2004-05-12  7:53 ` Andy Furniss
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: raptor @ 2004-05-11  7:09 UTC (permalink / raw)
  To: lartc

yep my config is very similar i.e. :

iptables -N block
iptables -A block -i $ifInt0 -j ACCEPT
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -j DROP


iptables -A INPUT -i $ifWan0 -j services
iptables -A FORWARD -i $ifWan0 -j services
iptables -A INPUT -j block
iptables -A FORWARD -j block

I added also this (do I really need it in my config I'm allowing everything from inside anyway):
> iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPT

after ESTABLISHED,RELATED but still can do active FTP

"services" is for giving access to wellknown services...
I'm not using NAT



On Mon, 10 May 2004 21:37:27 +0100
Andy Furniss <andy.furniss@dsl.pipex.com> wrote:

> raptor wrote:
> > As read here :
> > http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
> > 
> > modprobe ip_conntrack_ftp
> > would give me the ability to use active ftp if I have (pseudo/simplified code)
> > 
> > iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -j DROP
> > 
> > but I cant use active ftp, WHAT IS WRONG..  eth0 is the internal interface..
> > 
> 
> If you are NATing use ip_nat_ftp aswell.
> 
> Not sure that that firewall rule is OK - but then I don't know what else 
> you have.
> 
> My firewall is a direct copy and paste from one of rustys guides - ppp0 
> is my external interface -
> 
> ## Create chain which blocks new connections, except if coming from inside.
> 
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
> iptables -A block -j DROP
> 
> ## Jump to that chain from INPUT and FORWARD chains.
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
> 
> Andy.
> 
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] ip_conntrack_ftp
  2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
  2004-05-10 20:37 ` Andy Furniss
  2004-05-11  7:09 ` raptor
@ 2004-05-12  7:53 ` Andy Furniss
  2004-05-12 12:29 ` raptor
  2004-05-13 10:16 ` Andy Furniss
  4 siblings, 0 replies; 6+ messages in thread
From: Andy Furniss @ 2004-05-12  7:53 UTC (permalink / raw)
  To: lartc

raptor wrote:
> yep my config is very similar i.e. :
> 
> iptables -N block
> iptables -A block -i $ifInt0 -j ACCEPT
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -j DROP
> 
> 
> iptables -A INPUT -i $ifWan0 -j services
> iptables -A FORWARD -i $ifWan0 -j services
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
> 
> I added also this (do I really need it in my config I'm allowing everything from inside anyway):
> 
>>iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPT
> 
> 
> after ESTABLISHED,RELATED but still can do active FTP
> 
> "services" is for giving access to wellknown services...
> I'm not using NAT

I am not sure what's wrong.

Are you running an FTP server or just trying to access one on the 
internet from behind the firewall ?

Andy.

<snip>

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] ip_conntrack_ftp
  2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
                   ` (2 preceding siblings ...)
  2004-05-12  7:53 ` Andy Furniss
@ 2004-05-12 12:29 ` raptor
  2004-05-13 10:16 ` Andy Furniss
  4 siblings, 0 replies; 6+ messages in thread
From: raptor @ 2004-05-12 12:29 UTC (permalink / raw)
  To: lartc

tryng to access ftp servers from inside...

> raptor wrote:
> > yep my config is very similar i.e. :
> > 
> > iptables -N block
> > iptables -A block -i $ifInt0 -j ACCEPT
> > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A block -j DROP
> > 
> > 
> > iptables -A INPUT -i $ifWan0 -j services
> > iptables -A FORWARD -i $ifWan0 -j services
> > iptables -A INPUT -j block
> > iptables -A FORWARD -j block
> > 
> > I added also this (do I really need it in my config I'm allowing everything from inside anyway):
> > 
> >>iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPT
> > 
> > 
> > after ESTABLISHED,RELATED but still can do active FTP
> > 
> > "services" is for giving access to wellknown services...
> > I'm not using NAT
> 
> I am not sure what's wrong.
> 
> Are you running an FTP server or just trying to access one on the 
> internet from behind the firewall ?
> 
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [LARTC] ip_conntrack_ftp
  2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
                   ` (3 preceding siblings ...)
  2004-05-12 12:29 ` raptor
@ 2004-05-13 10:16 ` Andy Furniss
  4 siblings, 0 replies; 6+ messages in thread
From: Andy Furniss @ 2004-05-13 10:16 UTC (permalink / raw)
  To: lartc

raptor wrote:
> tryng to access ftp servers from inside...

Well I am not sure - I would be double checking all scripts for 
typos/brainos. You haven't posted evrything you use - and even if you 
did I am no netfilter/firewalling expert. The netfilter list is probably 
a better place for this sort of issue.

Andy.


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2004-05-13 10:16 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-10 19:45 [LARTC] ip_conntrack_ftp raptor
2004-05-10 20:37 ` Andy Furniss
2004-05-11  7:09 ` raptor
2004-05-12  7:53 ` Andy Furniss
2004-05-12 12:29 ` raptor
2004-05-13 10:16 ` Andy Furniss

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.