From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Andrew B. Cramer" Subject: Re: AW: IP_TABLES Q - Solved Date: Mon, 17 Feb 2003 19:30:18 -0600 Sender: linux-admin-owner@vger.kernel.org Message-ID: <3E51384A.32219.E00F7C5@localhost> References: <3E512A8A.29147.DCB3DE7@localhost> Reply-To: andrew.cramer@cramer-ts.com Mime-Version: 1.0 Content-Transfer-Encoding: 7BIT Return-path: In-reply-to: <15953.34476.373726.105791@cerise.nosuchdomain.co.uk> Content-description: Mail message body List-Id: Content-Type: text/plain; charset="us-ascii" To: Glynn Clements Cc: linux-admin Thanks Glynn & Bart! I did switch to 'passive' ftp and the workstations behave correctly. I will still try ip_conntrace_ftp when I get a chance. The bottom line, it's working. Kinds Regards - Andrew Cramer On 18 Feb 2003 at 1:04, Glynn Clements wrote: > > Andrew B. Cramer wrote: > > > In the interim, I did add for ports 20 & 21. same thing. Even Windoz > > FTP gives the same message. Here is a segment from my new script. > > > > Thanks - Andrew > > > > > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT > > > > # Try this for FTP (ABC) - Did not work > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 20 -j ACCEPT > > $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 21 -j ACCEPT > > > > # Reject telnet sessions from outside (Changed from 21 to 23)(ABC) > > $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 23 -j REJECT > > I believe that you need to use the ip_conntrack_ftp module to track > the ports which are used. Note: I don't know the specifics of how to > use it, but I'm pretty sure that this is the right module. > > The traditional mechanism for establishing the data channel is to have > the client create a listening socket on a randomly-numbered port. The > client sends the IP address and port number to the server, which then > makes an inbound (server -> client) connection. > > To allow this through the firewall, you have to either: > > 1. Allow all inbound TCP connections to unprivileged ports (>1024). > While you could filter with "--source-port 20", this doesn't really > buy you anything; hack attempts often use port 20 to get through > firewalls which are [mis]configured in this way. > > 2. Have some code which monitors the traffic sent over the control > channel, looking for the PORT commands (this is what ip_masq_ftp and > ip_conntrack_ftp do), and enables inbound TCP connections on those > ports. > > However, if at all practical, you should forego the traditional > ("active") mode of FTP in favour of passive mode. Here, all > connections are outbound (client -> server). > > For the standard "ftp" program, use the "passive" command (either > interactively, or via ~/.netrc); GUI FTP clients typically have a > "passive mode" check-box; Web browsers normally use passive mode > automatically. > > Nowadays, the main reason for supporting "active" FTP is if you have > no choice, e.g. you are answerable to people who simply demand it. > > -- > Glynn Clements > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >