Re: Acces ftp passive mode with iptables
From: ujay (ujay50-NOSPAM-@shaw.ca)Date: 01/18/02
- Previous message: crawdog@erols.com: "Re: This is bugging me"
- Maybe in reply to: Matthias Wulkow: "Re: Acces ftp passive mode with iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: ujay <ujay50-NOSPAM-@shaw.ca> Date: Fri, 18 Jan 2002 05:15:07 GMT
Michael (Cegonha) wrote:
> Hi !
>
> How can accept ftp passive mode with iptables ?
>
> thanks
>
> Michael
>
passive mode involves connection on ports >1023 on both machines, passed
via ftp by the PORT command to the connecting client. The
ip_conntrack_ftp module recognizes the connection as RELATED to the
original outgoing connection to port 21.
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# ftp conntrack
# This involves a connection INbound from port 20 on the remote machine,
to a local port
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp
module recognizes
# the connection as RELATED to the original outgoing connection to port
21 so we don't
# need NEW as a state match.
iptables -A INPUT -i ethx -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o ethx -p tcp --dport 20 -m state --state
ESTABLISHED -j ACCEPT
# passive ftp
UNPRIV="1024:65535"
iptables -A INPUT -i ethx -p tcp --sport $UNPRIV --dport $UNPRIV -m
state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ethx -p tcp --sport $UNPRIV --dport $UNPRIV -m
state --state ESTABLISHED,RELATED -j ACCEPT
- Next message: Jem Berkes: "Re: Selective Apache Access"
- Previous message: crawdog@erols.com: "Re: This is bugging me"
- Maybe in reply to: Matthias Wulkow: "Re: Acces ftp passive mode with iptables"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
