From: Boryan Yotov <yotov@prosyst.com>
To: netfilter@lists.netfilter.org
Subject: Re: Ftp (pass mode ) and Iptables
Date: Thu, 05 Jan 2006 11:18:03 +0100 [thread overview]
Message-ID: <43BCF25B.8000409@prosyst.com> (raw)
In-Reply-To: <43BCE38B.5080007@prosyst.com>
Boryan Yotov wrote:
> ludi wrote:
>
>> I have a ftp server and run a script of iptables on the server (not a
>> nat-gateway). The follow is the script:
>>
>> iptables -F OUTPUT
>> iptables -F INPUT
>> iptables -F FORWARD
>>
>>
>>
>> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j
>> ACCEPT
>> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j
>> ACCEPT
>> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j
>> ACCEPT
>> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j
>> ACCEPT
>> iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit
>> --limit 6/m --limit-burst 6 -j ACCEPT
>> iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT
>> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -P INPUT DROP
>>
>>
>> iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
>> iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT
>> iptables -P OUTPUT DROP
>> Now, my question is that I can not connect the ftp server with pass
>> mode until I stop the iptables. I had tried the ip_conntrack_ftp.o
>> module, but it didnt effect.
>> Could anyone give me some idea?
>
>
> Do you have TLS or SSL encryption over the FTP's server command channel?
>
>
>
Ok, since you are sure there is no TLS or SSL encryption on the command
channel, then it is probably the firewall setup script, which you use.
I suppose the script above is the complete one and it is ran on the FTP
server itself. If this is the case, then I see no definition for TCP/UDP
port 21 (where the FTP server's command channel is listening on). If
port 21 is closed (and your proftpd is not configured to listen on other
command port), then you won't be able to connect to the FTP server at all.
Othersides, since you mention that PASV mode is not working, then I
guess you already have command channel connection open between both
client and server? Or not?
And, please reply to the list (it makes it easier to track).
next prev parent reply other threads:[~2006-01-05 10:18 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-05 3:51 Ftp (pass mode ) and Iptables ludi
2006-01-05 9:14 ` Boryan Yotov
2006-01-05 10:18 ` Boryan Yotov [this message]
2006-01-05 17:15 ` Eric Marty
2006-01-06 6:30 ` ludi
2006-01-06 9:37 ` Boryan Yotov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43BCF25B.8000409@prosyst.com \
--to=yotov@prosyst.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox