From: "Jörg Harmuth" <harmuth@mnemon.de>
To: netfilter@lists.netfilter.org
Subject: Re: ftp issue cont.
Date: Mon, 15 Aug 2005 11:13:26 +0200 [thread overview]
Message-ID: <43005CB6.6010108@mnemon.de> (raw)
In-Reply-To: <E656E2CC1C5AEB42ACB00EB83122C7741FCC43@farmer.vikus.com>
Derick Anderson schrieb:
> FTP passive mode creates an entirely new connection for data transfer.
> It is not 'related' to the original connection and so iptables doesn't
> pick it up as such (nor do any other stateful firewalls that I'm aware
> of).
No, not really. Iptables regards FTP data traffic as related stuff. To
be more exactly, the respective helper module does so
(ip_conntrack_ftp.[k]o). So, normally all you have to do, is load this
module, allow ESTABLISHED,RELATED traffic in and out and allow FTP in.
This looks something like this (assumed that policies are DROP and
OUTPUT is ACCEPT and also assumed that the box is directly connected to
the internet and that the FTP server is on the firewall box):
modprobe ip_conntrack_ftp.[k]o
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT
This will work for active and passive FTP. If the ftp-module isn't on
the system in question, varun_saa has to configure the kernel correctly
and recompile as needed.
BTW, the original ruleset didn't explain anything. IN|OUTPUT == ACCEPT
and in FORWARD no rule concerning FTP. So, what is this guy doing ? If
the FTP server is on the firewall box, there is no iptables problem at
all (on this box). If not, there are no rules that permit FTP and thus
it cannot work. The whole thing looks quite mysterious to me, including
the -P issue Rob mentioned. May be a tiny ASCII art network picture
would clarify the situation :)
Have a nice time,
Joerg
next prev parent reply other threads:[~2005-08-15 9:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-12 17:44 ftp issue cont Derick Anderson
2005-08-15 9:13 ` Jörg Harmuth [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-08-16 10:16 varun_saa
2005-08-16 4:13 varun_saa
2005-08-16 7:56 ` Jörg Harmuth
2005-08-16 22:06 ` R. DuFresne
2005-08-15 12:05 Derick Anderson
2005-08-15 12:51 ` Jörg Harmuth
2005-08-15 11:54 Derick Anderson
2005-08-15 10:33 varun_saa
2005-08-12 16:51 varun_saa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43005CB6.6010108@mnemon.de \
--to=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox