Re: Debian 2.6.8/bridge/iptables/passive ftp

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Martijn Lievaart <m@rtij.nl>
To: spaminator@web.de
Cc: netfilter@lists.netfilter.org
Subject: Re: Debian 2.6.8/bridge/iptables/passive ftp
Date: Wed, 04 Apr 2007 19:37:04 +0200	[thread overview]
Message-ID: <4613E240.3000608@rtij.nl> (raw)
In-Reply-To: <361462969@web.de>

spaminator@web.de wrote:
> Rebooting the bridge box left me again with an unloaded ip_conntrack_ftp. So I made an entry in /etc/modules which caters for the module to be loaded on (re)boot. Strange thing that, because other modules related to iptables are being loaded automatically, although they are not compiled into the kernel too. Are there other "surprise"-modules that have to be loaded via /etc/modules?
>   

All the ip_conntrack_* modules, so all the connection helpers. You could 
load them all, but I only load what I need.

These modules are what account for (most of the) -m state --state 
RELATED matches. Related in this case are all the data connections for 
ftp, so you don't need any rule for those data connections.

IOW to make ftp work you need:

- To load ip_conntrack_ftp
- Have a rule that allows ESTABLISHED,RELATED
- Have a rule that allows the initial SYN to port 21.


HTH,
M4

next prev parent reply	other threads:[~2007-04-04 17:37 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-04 10:18 Debian 2.6.8/bridge/iptables/passive ftp spaminator
2007-04-04 10:29 ` Jan Engelhardt
2007-04-04 17:37 ` Martijn Lievaart [this message]
2007-04-04 17:44 ` Pascal Hambourg
  -- strict thread matches above, loose matches on Subject: below --
2007-03-30 12:15 spaminator
2007-03-30 14:56 ` Ray Leach
2007-03-31  8:10 ` Martijn Lievaart
2007-03-31 13:41 ` Arnd-Hendrik Mathias

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4613E240.3000608@rtij.nl \
    --to=m@rtij.nl \
    --cc=netfilter@lists.netfilter.org \
    --cc=spaminator@web.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.