From: varun_saa@vsnl.net
To: "Jörg Harmuth" <harmuth@mnemon.de>
Cc: netfilter@lists.netfilter.org
Subject: Re: ftp issue cont.
Date: Mon, 15 Aug 2005 15:33:29 +0500 [thread overview]
Message-ID: <6bb85b56bba229.6bba2296bb85b5@vsnl.net> (raw)
Thanks Jorg,
How to find out if ftp-module is loaded or
not.
Thanks
Varun
----- Original Message -----
From: Jörg Harmuth <harmuth@mnemon.de>
Date: Monday, August 15, 2005 2:43 pm
Subject: Re: ftp issue cont.
> Derick Anderson schrieb:
> > FTP passive mode creates an entirely new connection for data
> transfer.> It is not 'related' to the original connection and so
> iptables doesn't
> > pick it up as such (nor do any other stateful firewalls that I'm
> aware> of).
>
> No, not really. Iptables regards FTP data traffic as related stuff. To
> be more exactly, the respective helper module does so
> (ip_conntrack_ftp.[k]o). So, normally all you have to do, is load this
> module, allow ESTABLISHED,RELATED traffic in and out and allow FTP in.
> This looks something like this (assumed that policies are DROP and
> OUTPUT is ACCEPT and also assumed that the box is directly
> connected to
> the internet and that the FTP server is on the firewall box):
>
> modprobe ip_conntrack_ftp.[k]o
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT
>
> This will work for active and passive FTP. If the ftp-module isn't on
> the system in question, varun_saa has to configure the kernel
> correctlyand recompile as needed.
>
> BTW, the original ruleset didn't explain anything. IN|OUTPUT == ACCEPT
> and in FORWARD no rule concerning FTP. So, what is this guy doing ? If
> the FTP server is on the firewall box, there is no iptables problem at
> all (on this box). If not, there are no rules that permit FTP and thus
> it cannot work. The whole thing looks quite mysterious to me,
> includingthe -P issue Rob mentioned. May be a tiny ASCII art
> network picture
> would clarify the situation :)
>
> Have a nice time,
>
> Joerg
>
>
>
>
next reply other threads:[~2005-08-15 10:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-08-15 10:33 varun_saa [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-08-16 10:16 ftp issue cont varun_saa
2005-08-16 4:13 varun_saa
2005-08-16 7:56 ` Jörg Harmuth
2005-08-16 22:06 ` R. DuFresne
2005-08-15 12:05 Derick Anderson
2005-08-15 12:51 ` Jörg Harmuth
2005-08-15 11:54 Derick Anderson
2005-08-12 17:44 Derick Anderson
2005-08-15 9:13 ` Jörg Harmuth
2005-08-12 16:51 varun_saa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6bb85b56bba229.6bba2296bb85b5@vsnl.net \
--to=varun_saa@vsnl.net \
--cc=harmuth@mnemon.de \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox