* passive ftp
@ 2004-04-17 17:50 IT Clown
2004-04-17 18:03 ` Is there a more active mailing list for security? Krunk
` (3 more replies)
0 siblings, 4 replies; 9+ messages in thread
From: IT Clown @ 2004-04-17 17:50 UTC (permalink / raw)
To: netfilter
Hi
I am having some trouble to access passive mode ftp sites.I
have a firewall with ip forwarding enabled.When a pc on the
network want to access passive ftp servers i need to do the
following in my rules ( on the server ):
-A OUTPUT -p tcp -m multiport --dport 21,20 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
But i do not want every query to be forwarded i only want
say ftp access to be forwarded. Why does the following not
work ( on the server ):
-A FORWARD -p tcp -i eth0 -o ppp0 --dport 20 -j ACCEPT
-A FORWARD -p tcp -i eth0 -o ppp0 --dport 21 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Regards
______________________________________________________________
Herbalife Independent Distributor http://www.healthiest.co.za
^ permalink raw reply [flat|nested] 9+ messages in thread* Is there a more active mailing list for security?
2004-04-17 17:50 passive ftp IT Clown
@ 2004-04-17 18:03 ` Krunk
2004-04-17 19:13 ` Mark E. Donaldson
2004-04-17 18:12 ` passive ftp Krunk
` (2 subsequent siblings)
3 siblings, 1 reply; 9+ messages in thread
From: Krunk @ 2004-04-17 18:03 UTC (permalink / raw)
To: netfilter
This list seems a little slow...maybe one or two questions a day.
Haven't seen a reply yet. Would anyone know what a more active mailing
list would be where I could receive help?
James
^ permalink raw reply [flat|nested] 9+ messages in thread* RE: Is there a more active mailing list for security?
2004-04-17 18:03 ` Is there a more active mailing list for security? Krunk
@ 2004-04-17 19:13 ` Mark E. Donaldson
0 siblings, 0 replies; 9+ messages in thread
From: Mark E. Donaldson @ 2004-04-17 19:13 UTC (permalink / raw)
To: 'Krunk', netfilter
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Krunk
Sent: Saturday, April 17, 2004 11:04 AM
To: netfilter@lists.netfilter.org
Subject: Is there a more active mailing list for security?
This list seems a little slow...maybe one or two questions a day.
Haven't seen a reply yet. Would anyone know what a more active mailing list
would be where I could receive help?
James
Just have patience my friend. You won't find any help better or quicker for
iptables/netfilter anywhere else. Why not try posting your question again.
Anthony Stone must have gone somewhere for the weekend but perhaps someone
else can help you.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: passive ftp
2004-04-17 17:50 passive ftp IT Clown
2004-04-17 18:03 ` Is there a more active mailing list for security? Krunk
@ 2004-04-17 18:12 ` Krunk
2004-04-17 18:18 ` IT Clown
2004-04-17 19:06 ` Mark E. Donaldson
3 siblings, 0 replies; 9+ messages in thread
From: Krunk @ 2004-04-17 18:12 UTC (permalink / raw)
To: netfilter
This did it for me:
IPT=/usr/sbin/iptables
EXTIF=ppp0 # interface facing outward
EXTIP=xxx.xxx.xxx.xxx
INTIF=eth1
INTNET=<ip assigned to eth1>
TCP="ftp ftp-data"
for i in $TCP
do
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
done
You can put any number of services defined in /etc/services in the TCP
list and free them up with the loop.
On Sat, 2004-04-17 at 12:50, IT Clown wrote:
> Hi
>
> I am having some trouble to access passive mode ftp sites.I
> have a firewall with ip forwarding enabled.When a pc on the
> network want to access passive ftp servers i need to do the
> following in my rules ( on the server ):
>
> -A OUTPUT -p tcp -m multiport --dport 21,20 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> But i do not want every query to be forwarded i only want
> say ftp access to be forwarded. Why does the following not
> work ( on the server ):
>
> -A FORWARD -p tcp -i eth0 -o ppp0 --dport 20 -j ACCEPT
> -A FORWARD -p tcp -i eth0 -o ppp0 --dport 21 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> Regards
> ______________________________________________________________
> Herbalife Independent Distributor http://www.healthiest.co.za
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: passive ftp
2004-04-17 17:50 passive ftp IT Clown
2004-04-17 18:03 ` Is there a more active mailing list for security? Krunk
2004-04-17 18:12 ` passive ftp Krunk
@ 2004-04-17 18:18 ` IT Clown
2004-04-17 19:06 ` Mark E. Donaldson
3 siblings, 0 replies; 9+ messages in thread
From: IT Clown @ 2004-04-17 18:18 UTC (permalink / raw)
To: netfilter
Sorry i left out something about the following rule:
> -A FORWARD -p tcp -i eth0 -o ppp0 --dport 20 -j ACCEPT
> -A FORWARD -p tcp -i eth0 -o ppp0 --dport 21 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
When i set the rule i can connect to passive mode ftp
servers but when it needs to list the contents of the ftp
server it will list nothing or i will get disc from the ftp
server.
On Sat, 17 Apr 2004 19:50:35 +0200
"IT Clown" <iptables@mailbox.co.za> wrote:
> Hi
>
> I am having some trouble to access passive mode ftp
> sites.I
> have a firewall with ip forwarding enabled.When a pc on
> the
> network want to access passive ftp servers i need to do
> the
> following in my rules ( on the server ):
>
> -A OUTPUT -p tcp -m multiport --dport 21,20 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> But i do not want every query to be forwarded i only want
> say ftp access to be forwarded. Why does the following
> not
> work ( on the server ):
>
> -A FORWARD -p tcp -i eth0 -o ppp0 --dport 20 -j ACCEPT
> -A FORWARD -p tcp -i eth0 -o ppp0 --dport 21 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> Regards
>
______________________________________________________________
> Herbalife Independent Distributor
> http://www.healthiest.co.za
>
______________________________________________________________
Herbalife Independent Distributor http://www.healthiest.co.za
^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: passive ftp
2004-04-17 17:50 passive ftp IT Clown
` (2 preceding siblings ...)
2004-04-17 18:18 ` IT Clown
@ 2004-04-17 19:06 ` Mark E. Donaldson
2004-04-18 16:24 ` NAT FTP module problem GoMi
3 siblings, 1 reply; 9+ messages in thread
From: Mark E. Donaldson @ 2004-04-17 19:06 UTC (permalink / raw)
To: 'IT Clown', netfilter
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of IT Clown
Sent: Saturday, April 17, 2004 10:51 AM
To: netfilter@lists.netfilter.org
Subject: passive ftp
Hi
I am having some trouble to access passive mode ftp sites.I have a firewall
with ip forwarding enabled.When a pc on the network want to access passive
ftp servers i need to do the following in my rules ( on the server ):
-A OUTPUT -p tcp -m multiport --dport 21,20 -j ACCEPT -A INPUT -m state
--state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -j ACCEPT -A
FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
But i do not want every query to be forwarded i only want say ftp access to
be forwarded. Why does the following not work ( on the server ):
-A FORWARD -p tcp -i eth0 -o ppp0 --dport 20 -j ACCEPT -A FORWARD -p tcp -i
eth0 -o ppp0 --dport 21 -j ACCEPT -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT Regards
______________________________________________________________
Herbalife Independent Distributor http://www.healthiest.co.za
Be sure you have the two support modules you need loaded:
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack_ftp
Passive FTP data transfers take place on a "high port" that the server
recommends to the client, and the client then establishes the new connection
on that high port that the server uses as well. Neither Port 20 or 21 are
used during this part of the process. Therefore, the ftp connection
tracking modules are necessary for all this to happen.
^ permalink raw reply [flat|nested] 9+ messages in thread* NAT FTP module problem
2004-04-17 19:06 ` Mark E. Donaldson
@ 2004-04-18 16:24 ` GoMi
0 siblings, 0 replies; 9+ messages in thread
From: GoMi @ 2004-04-18 16:24 UTC (permalink / raw)
To: markee, 'IT Clown', netfilter
I have a problem inserting the ipt_nat_module
insmod ip_nat_ftp
Using /lib/modules/2.4.20/kernel/net/ipv4/netfilter/ip_nat_ftp.o
/lib/modules/2.4.20/kernel/net/ipv4/netfilter/ip_nat_ftp.o: init_module:
Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including
invalid IO or IRQ parameters.
You may find more information in syslog or the output from dmesg
Any ideas?
-----Mensaje original-----
De: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] En nombre de Mark E. Donaldson
Enviado el: sábado, 17 de abril de 2004 21:06
Para: 'IT Clown'; netfilter@lists.netfilter.org
Asunto: RE: passive ftp
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of IT Clown
Sent: Saturday, April 17, 2004 10:51 AM
To: netfilter@lists.netfilter.org
Subject: passive ftp
Hi
I am having some trouble to access passive mode ftp sites.I have a firewall
with ip forwarding enabled.When a pc on the network want to access passive
ftp servers i need to do the following in my rules ( on the server ):
-A OUTPUT -p tcp -m multiport --dport 21,20 -j ACCEPT -A INPUT -m state
--state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -j ACCEPT -A
FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
But i do not want every query to be forwarded i only want say ftp access to
be forwarded. Why does the following not work ( on the server ):
-A FORWARD -p tcp -i eth0 -o ppp0 --dport 20 -j ACCEPT -A FORWARD -p tcp -i
eth0 -o ppp0 --dport 21 -j ACCEPT -A FORWARD -m state --state
RELATED,ESTABLISHED -j ACCEPT Regards
______________________________________________________________
Herbalife Independent Distributor http://www.healthiest.co.za
Be sure you have the two support modules you need loaded:
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack_ftp
Passive FTP data transfers take place on a "high port" that the server
recommends to the client, and the client then establishes the new connection
on that high port that the server uses as well. Neither Port 20 or 21 are
used during this part of the process. Therefore, the ftp connection
tracking modules are necessary for all this to happen.
^ permalink raw reply [flat|nested] 9+ messages in thread
* passive ftp
@ 2003-02-11 16:43 Luis Miguel Cruz Miranda
2003-02-12 10:05 ` Cedric Blancher
0 siblings, 1 reply; 9+ messages in thread
From: Luis Miguel Cruz Miranda @ 2003-02-11 16:43 UTC (permalink / raw)
To: netfilter
Ok, I spend more than 30 minutes and I couldn't discover how to allow
inbound passive ftp.
Can anyone write me a generic iptables rules?
Thanks
Luis Miguel Cruz Miranda. | B2B INTEGRAL, S.A.
CCNA - Systems Administrator | Pol. Ind. de Asipo
| C/A - Parcela 86-C
Tel: +34 902 506 605 | 33.428 - CAYES - LLANERA
Fax:+34 985 980 794 | ASTURIAS (ESPAÑA/SPAIN)
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: passive ftp
2003-02-11 16:43 passive ftp Luis Miguel Cruz Miranda
@ 2003-02-12 10:05 ` Cedric Blancher
0 siblings, 0 replies; 9+ messages in thread
From: Cedric Blancher @ 2003-02-12 10:05 UTC (permalink / raw)
To: Luis Miguel Cruz Miranda; +Cc: netfilter
Le mar 11/02/2003 à 17:43, Luis Miguel Cruz Miranda a écrit :
> Ok, I spend more than 30 minutes and I couldn't discover how to allow
> inbound passive ftp.
Just load ip_conntrack_ftp then allow RELATED state and you're done.
> Can anyone write me a generic iptables rules?
iptables -A INPUT -m state --state RELATED -j ACCEPT
Can't be more generic.
--
Cédric Blancher <blancher@cartel-securite.fr>
IT systems and networks security expert - Cartel Sécurité
Phone : +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2004-04-18 16:24 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-04-17 17:50 passive ftp IT Clown
2004-04-17 18:03 ` Is there a more active mailing list for security? Krunk
2004-04-17 19:13 ` Mark E. Donaldson
2004-04-17 18:12 ` passive ftp Krunk
2004-04-17 18:18 ` IT Clown
2004-04-17 19:06 ` Mark E. Donaldson
2004-04-18 16:24 ` NAT FTP module problem GoMi
-- strict thread matches above, loose matches on Subject: below --
2003-02-11 16:43 passive ftp Luis Miguel Cruz Miranda
2003-02-12 10:05 ` Cedric Blancher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.