From mboxrd@z Thu Jan 1 00:00:00 1970 From: Abraham van der Merwe Date: Wed, 12 Mar 2003 14:18:25 +0000 Subject: [LARTC] matching ftp - how? MIME-Version: 1 Content-Type: multipart/mixed; boundary="IS0zKkzwUGydFO0o" Message-Id: List-Id: To: lartc@vger.kernel.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! If I have the ftp connection tracking module compiled in, how do I match ftp packets (I know ftp connections are tracked, but I want to match it to count the traffic / shape it, etc) You can obviously match active and passive ftp traffic as follows: iptables -A FORWARD -s $net -p tcp --dport 21 -m state --state NEW,ESTABLIS= HED,RELATED iptables -A FORWARD -d $net -p tcp --sport 21 -m state --state ESTABLISHED,= RELATED and for active ftp: iptables -A FORWARD -s $net -p tcp --dport 20 -m state --state ESTABLISHED iptables -A FORWARD -d $net -p tcp --sport 20 -m state --state ESTABLISHED,= RELATED and for passive ftp: iptables -A FORWARD -s $net -p tcp --sport 1024: --dport 1024: -m state --= state ESTABLISHED,RELATED iptables -A FORWARD -d $net -p tcp --sport 1024: --dport 1024: -m state --= state ESTABLISHED,RELATED where $net is the network which is making the connection. The problem is that the passive ftp rules will also match traffic from other protocols which uses ports higher than 1024. Is there no way I can match traffic which is matched by a certain connection tracking module (and only that module), e.g. iptables -A FORWARD -s $net -m conntrack --proto ftp iptables -A FORWARD -s $net -m conntrack --proto irc iptables -A FORWARD -s $net -m conntrack --proto h323 etc. --=20 Regards Abraham I'm having BEAUTIFUL THOUGHTS about the INSIPID WIVES of smug and wealthy CORPORATE LAWYERS ... ___________________________________________________ Abraham vd Merwe - Frogfoot Networks CC 9 Kinnaird Court, 33 Main Street, Newlands, 7700 Phone: +27 21 686 1674 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+b0Gx0jJV70h31dERAk04AJ0amSs07TI3nqqtQBwDWooITbnrWACcCYPy e4N+PWf3GWYnyGY0oWJnpNo= =/5ag -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/