Re: iptables and FTP
From: Julien Salgado (Julien.Salgado_at_f_r_e_e_f_r.ignore.invalid)
Date: 05/15/03
- Next message: charly: "Re: iptables and FTP"
- Previous message: Julien Salgado: "Re: Chroot and X-Window applications"
- In reply to: charly: "iptables and FTP"
- Next in thread: charly: "Re: iptables and FTP"
- Reply: charly: "Re: iptables and FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 May 2003 08:07:51 GMT
charly wrote:
> Greetings,
Hi!
> I cannot get filelist from ftp servers : I can login/pass but get a
> connection time out when trying to acces the file list.
>
> $protec -A INPUT -i eth0 --protocol tcp --source-port 80 -m state
> --state ESTABLISHED -j ACCEPT
> $protec -A OUTPUT -o eth0 --protocol tcp --destination-port 80 -m state
> --state NEW,ESTABLISHED -j ACCEPT
This is nicely done.
> $protec -A INPUT -i eth0 --protocol udp --source-port 53 -j ACCEPT
> $protec -A OUTPUT -o eth0 --protocol udp --destination-port 53 -j ACCEPT
> $protec -A INPUT -i eth0 --protocol tcp --source-port 53 -j ACCEPT
> $protec -A OUTPUT -o eth0 --protocol tcp --destination-port 53 -j ACCEPT
>
> $protec -A INPUT -p tcp -m multiport --sport 110,119,20,21 -j ACCEPT
> $protec -A OUTPUT -o eth0 --protocol tcp --destination-port 25 -j ACCEPT
> $protec -A OUTPUT -o eth0 --protocol tcp --destination-port 20 -j ACCEPT
> $protec -A OUTPUT -o eth0 --protocol tcp --destination-port 21 -j ACCEPT
It is also poosible to use match on the connection tracking state for
all those rules...
Ftp needs indeed two type of connections one for control and for data.
Ftp can work in two different mode active or passive.
In active mode the server create the control connection from its port
20 to the client.
In passive mode the client create the control connection from one high
port (>1024) to an high port of the server.
You should use the connection tracking feature of netfilter to handle
those connections since these will be related connection, the module
ftp_conntrack should be loaded in order to handle the match RELATED for
ftp connections.
You need three set of rule
# The control connection
$protec -A INPUT -i eth0 -p tcp --sport 21
-m state --state ESTABLISHED -j ACCEPT
$protec -A OUTPUT -o eth0 -p tcp --dport 21
-m state --state NEW,ESTABLISHED -j ACCEPT
# The data connection in active mode
$protec -A INPUT -i eth0 -p tcp --sport 20
-m state --state ESTABLISHED,RELATED -j ACCEPT
$protec -A OUTPUT -o eth0 -p tcp --dport 20
-m state --state ESTABLISHED -j ACCEPT
# The data connection in passive mode
$protec -A INPUT -i eth0 -p tcp --sport 1024: --dport 1024:
-m state --state ESTABLISHED -j ACCEPT
$protec -A OUTPUT -o eth0 -p tcp --sport 1024: --dport 1024:
-m state --state ESTABLISHED,RELATED -j ACCEPT
If you whish a deeper understanding of the netfilter connection tracking
you can read the the netfilter documentation:
http://www.netfilter.org/documentation/
or
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
-- Julien
- Next message: charly: "Re: iptables and FTP"
- Previous message: Julien Salgado: "Re: Chroot and X-Window applications"
- In reply to: charly: "iptables and FTP"
- Next in thread: charly: "Re: iptables and FTP"
- Reply: charly: "Re: iptables and FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
