From: Mart Frauenlob <mart.frauenlob@chello.at>
Cc: Jeff Jensen <jjensen@unyalli.com>, netfilter@vger.kernel.org
Subject: Re: Help with ftp helper please
Date: Sun, 25 Apr 2010 08:49:23 +0200 [thread overview]
Message-ID: <4BD3E5F3.4070907@chello.at> (raw)
In-Reply-To: <r2ob376a78e1004240948ucaa6e2d5o5f65d4216f7ac936@mail.gmail.com>
On 24.04.2010 18:48, Jeff Jensen wrote:
> Hello netfilter people,
>
> I have an email conversation from Jan 9, 2010 between
> mart.frauenlob@chello.at and margoandtodd@gmail.com with the subject
> "passive mode ftp high ports driving me nuts". I have studied this
> intensely and found out about this "helper" thing.
>
> On a test ubuntu 9.04 box I have these rules and nothing else plus I
> have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.
>
> # Local host
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> # DNS
> iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
> --dport 53 -j ACCEPT
> iptables -A INPUT -i eth0 -p udp -m state --state ESTABLISHED --sport
> 53 -j ACCEPT
> # FTP Helper Chain
> iptables -N FTPChn
> iptables -A FTPChn -j LOG --log-prefix "FTP "
> iptables -A FTPChn -j ACCEPT
> # FTP
> iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
> iptables -A INPUT -i eth0 -m helper --helper ftp -j FTPChn
> iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
> # Log All Else
> iptables -A INPUT -j LOG --log-prefix "Filter Input "
> iptables -A OUTPUT -j LOG --log-prefix "Filter Output "
> iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
> # And Reject
> iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
> iptables -A OUTPUT -j REJECT --reject-with icmp-host-prohibited
> iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
>
> when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)
>
> FTP IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
> Filter Input IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
> PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
> Filter Output IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
>
> Any idea what I'm missing?
>
> Thank you
>
> Jeff
you don't allow sport 21 back incoming traffic.
btw: nf_nat_ftp is also loaded?
next prev parent reply other threads:[~2010-04-25 6:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-24 16:48 Help with ftp helper please Jeff Jensen
2010-04-25 6:49 ` Mart Frauenlob [this message]
2010-04-25 9:09 ` Jan Engelhardt
2010-04-25 10:04 ` Mart Frauenlob
2010-05-18 13:27 ` Markus Feldmann
2010-04-25 12:00 ` Jeff Jensen
2010-04-25 12:31 ` Jan Engelhardt
2010-04-25 11:50 ` Jeff Jensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BD3E5F3.4070907@chello.at \
--to=mart.frauenlob@chello.at \
--cc=jjensen@unyalli.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.