Re: Iptables FTP question
From: David (davidwnh_at_adelphia.net)
Date: 10/27/03
- Previous message: David: "Re: without selecting the right interface communication won't work ?"
- In reply to: Peter Eberz: "Re: Iptables FTP question"
- Next in thread: Peter Eberz: "Re: Iptables FTP question"
- Reply: Peter Eberz: "Re: Iptables FTP question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Oct 2003 22:50:43 GMT
You would only need RELATED set in your rule for port 21 if you were
allowing it to deal with related ICMP traffic for the control
connection. And since you put -p tcp in your rule it will not deal with
any related ICMP anyhow. As far as the ftp module specifically, the
related statement applies to the initial syn packet for your secondary
connections which will only be analyzed in the filters you use for the
secondary connections. And once that syn packet is replied to, the
secondary connection then becomes an established connection.
>
>>Erratum
>>
>>line
>>
>>>Thats why -sport 21 isnt good, it must ESTABLISHED only
>>
>>should be RELATED
>>
>
> I still think it should be
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p TCP --sport 21 \
> -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> ESTABLISHED I need for the ftp control traffic on port 21
> RELATED I need for the ftp data traffic either to/from port 20 or a high
> port number this should cover active and passive ftp.
>
> Bye,
> Peter
>
- Previous message: David: "Re: without selecting the right interface communication won't work ?"
- In reply to: Peter Eberz: "Re: Iptables FTP question"
- Next in thread: Peter Eberz: "Re: Iptables FTP question"
- Reply: Peter Eberz: "Re: Iptables FTP question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
