From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: Ip_conntrack_ftp with PASSIVE FTP does not work
Date: Wed, 13 Jul 2005 11:38:36 +0200 [thread overview]
Message-ID: <42D4E11C.2080100@mnemon.de> (raw)
In-Reply-To: <04EE7AD0450F7B498BA216312943A1A102937F25@blrse201.ap.infineon.com>
Chandra.Vempali@infineon.com schrieb:
> Hi all,
>
> For me, ip_conntrack_ftp does not work for PASSIVE ftp.
>
> In the firewall rules, I blocked everything and put the following rules,
> iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j
> ACCEPT
> iptables -A OUTPUT -p tcp --dport 21 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> And when I try to ftp, the control channel goes through firwall, but
> data channel fails to pass through.
So, your firewall connects to the FTP server, why not. First of all make
sure that ip_conntrack_ftp is compiled into the kernel or as a module.
If compiled as a module, make sure it is loaded.
As your firewall connects to the FTP server and your OUTPUT policy seems
to be DROP or REJECT, you need rules like these:
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 --syn -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Hmm, many people, including myself, think, that filtering in OUTPUT is
pointless. More troublesome than usefull. If you decide to set OUTPUT
policy to ACCEPT, you don't need the first two rules. Up to you.
Have a nice time,
Joerg
next prev parent reply other threads:[~2005-07-13 9:38 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-07-13 9:05 Ip_conntrack_ftp with PASSIVE FTP does not work Chandra.Vempali
2005-07-13 9:38 ` Jörg Harmuth [this message]
2005-07-13 10:14 ` Jan Engelhardt
2005-07-13 14:45 ` OUTPUT filtering (was: Re: Ip_conntrack_ftp ...) /dev/rob0
2005-07-14 12:20 ` OUTPUT filtering Amin Azez
2005-07-14 15:56 ` Jörg Harmuth
-- strict thread matches above, loose matches on Subject: below --
2005-07-13 10:00 Ip_conntrack_ftp with PASSIVE FTP does not work Chandra.Vempali
2005-07-13 11:38 ` Jörg Harmuth
2005-07-13 14:40 ` Jason Opperisano
2005-07-13 21:15 ` R. DuFresne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42D4E11C.2080100@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox