iptables and ftp - Roman Gavrilov

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: "Roman Gavrilov" <romio@netvision.net.il>
To: netfilter@lists.netfilter.org
Subject: iptables and ftp
Date: Sat, 22 Feb 2003 22:20:11 +0200	[thread overview]
Message-ID: <023001c2daaf$cd19fe80$020010ac@romio> (raw)

[-- Attachment #1: Type: text/plain, Size: 1172 bytes --]

Hello,

My question is about ftp and ftp data connections.
I know this subject has been heavily discussed but still ...

I set up my firewall to allow connections to 21 and 20 ports.
 I also allowed connections to high ports from outside from port 20.
and of course I enabled all established and related connections.

But when ever I connect to my ftp server and issuing "ls" command it stacks.
In the firewall I see :
Feb 22 04:07:46 hostname IN=eth0 OUT= MAC=00:e0:18:d3:1b:4b:00:90:5f:0d:64:38:08:00  SRC=source ip DST=my server ip LEN=60 TOS=00 PREC=0x00 TTL=53 ID=41512 DF PROTO=TCP SPT=37070 DPT=21773 SEQ=3256137382 ACK=0 WINDOW=5648 SYN URGP=0

SPT=37070 DPT=21773 looks strange to me.

It seems that ftp data session is trying to establish connection from a high port to a high port.
SYN means that it trying to establish connection and of course it is dropped by the firewall.
There is no sense in allowing anything from outside to servers high ports.

I think that the client should issue a connect request from a high port to servers 20 port.
And then it should match the established connection.

What can be the problem ?

Thanks

[-- Attachment #2: Type: text/html, Size: 2671 bytes --]

next             reply	other threads:[~2003-02-22 20:20 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-02-22 20:20 Roman Gavrilov [this message]
2003-02-21 23:51 ` iptables and ftp Willi Dyck
2003-02-22  0:59 ` How to do port forwarding dynamically Dhirendra Pal Singh
2003-02-22  1:34   ` Joel Newkirk
2003-02-24 20:13     ` Dhirendra Pal Singh

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='023001c2daaf$cd19fe80$020010ac@romio' \
    --to=romio@netvision.net.il \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox