Re: ftp issue cont.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: varun_saa@vsnl.net
To: "Jörg Harmuth" <harmuth@mnemon.de>
Cc: netfilter@lists.netfilter.org
Subject: Re: ftp issue cont.
Date: Tue, 16 Aug 2005 09:13:38 +0500	[thread overview]
Message-ID: <6c016e56bfd4d0.6bfd4d06c016e5@vsnl.net> (raw)

Thanks Jorg, 
           I get the following for lsmod : 
 
[root@squidserver ~]# lsmod | grep conntrack 
ip_conntrack           41497  3 ipt_state,ipt_MASQUERADE,iptable_nat 
 
So how do I add : 
  
           ip_conntrack_ftp         
           ipt_conntrack     
 
And yes it is : 
               -A FORWARD -j DROP 
 
Thanks again 
 
Varun 
            
 
 
 
 
----- Original Message ----- 
From: Jörg Harmuth <harmuth@mnemon.de> 
Date: Monday, August 15, 2005 4:29 pm 
Subject: Re: ftp issue cont. 
 
> varun_saa@vsnl.net schrieb: 
> > Thanks Jorg,   
> >             How to find out if ftp-module is loaded or   
> > not.   
>  
> e.g. 
>  
> lsmod | grep conntrack 
>  
> gives on my box: 
>  
> ip_conntrack_ftp        3680   0  (unused) 
> ipt_conntrack           1120   0  (autoclean) 
> ip_conntrack           26484   1  (autoclean) [ip_conntrack_ftp ... 
>  
> >    
> > Thanks   
> >    
> > Varun   
> >    
> > ----- Original Message -----   
> > From: Jörg Harmuth <harmuth@mnemon.de>   
> > Date: Monday, August 15, 2005 2:43 pm   
> > Subject: Re: ftp issue cont.   
> >    
> >  
> >>Derick Anderson schrieb:   
> >> 
> >>>FTP passive mode creates an entirely new connection for data    
> >> 
> >>transfer.> It is not 'related' to the original connection and so   
>  
> >>iptables doesn't   
> >> 
> >>>pick it up as such (nor do any other stateful firewalls that I'm  
>   
> >> 
> >>aware> of).    
> >>   
> >>No, not really. Iptables regards FTP data traffic as related  
> stuff. To   
> >>be more exactly, the respective helper module does so   
> >>(ip_conntrack_ftp.[k]o). So, normally all you have to do, is load  
> this   
> >>module, allow ESTABLISHED,RELATED traffic in and out and allow  
> FTP in.   
> >>This looks something like this (assumed that policies are DROP  
> and   
> >>OUTPUT is ACCEPT and also assumed that the box is directly    
> >>connected to   
> >>the internet and that the FTP server is on the firewall box):   
> >>   
> >>modprobe ip_conntrack_ftp.[k]o   
> >>   
> >>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT   
> >>iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT   
> >>   
> >>This will work for active and passive FTP. If the ftp-module  
> isn't on   
> >>the system in question, varun_saa has to configure the kernel    
> >>correctlyand recompile as needed.   
> >>   
> >>BTW, the original ruleset didn't explain anything. IN|OUTPUT ==  
> ACCEPT   
> >>and in FORWARD no rule concerning FTP. So, what is this guy doing  
> ? If   
> >>the FTP server is on the firewall box, there is no iptables  
> problem at   
> >>all (on this box). If not, there are no rules that permit FTP and  
> thus   
> >>it cannot work. The whole thing looks quite mysterious to me,    
> >>includingthe -P issue Rob mentioned. May be a tiny ASCII art    
> >>network picture   
> >>would clarify the situation :)   
> >>   
> >>Have a nice time,   
> >>   
> >>Joerg   
> >>   
> >>   
> >>   
> >>   
> >  
> >  
> >  
> > !DSPAM:430073677568926616419! 
>  
>

next             reply	other threads:[~2005-08-16  4:13 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-08-16  4:13 varun_saa [this message]
2005-08-16  7:56 ` ftp issue cont Jörg Harmuth
2005-08-16 22:06 ` R. DuFresne
  -- strict thread matches above, loose matches on Subject: below --
2005-08-16 10:16 varun_saa
2005-08-15 12:05 Derick Anderson
2005-08-15 12:51 ` Jörg Harmuth
2005-08-15 11:54 Derick Anderson
2005-08-15 10:33 varun_saa
2005-08-12 17:44 Derick Anderson
2005-08-15  9:13 ` Jörg Harmuth
2005-08-12 16:51 varun_saa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6c016e56bfd4d0.6bfd4d06c016e5@vsnl.net \
    --to=varun_saa@vsnl.net \
    --cc=harmuth@mnemon.de \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.