On Fri, 2004-04-09 at 10:04, David Demland wrote:
> I have a Debian router that is running iptables. Whenever I use an FTP
> client from a system behind the router I get an invalid port error. When I
> use the FTP client on the router it works fine. This leads be to believe I
> do not have something passing through the router properly. I have looked on
> the internet and found information about passing through passive and active
> FTP using IPTABLES and I have modified by script by inserting the following:
> 
> #load any modules needed for connection tracking
> #allow passive ftp
> UP_PORTS="1024:65535"
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
> echo "Started Connection Tracking"
> 
> ## FTP
> # Allow ftp outbound.
> #
> 
> echo Setting up FTP Outbound....
> iptables -A INPUT  -i $INET_IFACE -p tcp --sport 21 -m state --state
> ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o $INET_IFACE -p tcp --dport 21 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> 
> #
> # Now for the connection tracking part of ftp. This is discussed more
> # completely in the section on connection tracking on
> # the page http://www.sns.ias.edu/~jns/security/iptables/
> # 1) Active ftp.
> # This involves a connection INbound from port 20 on the remote machine, to
> a
> # local port passed over the ftp channel via a PORT command.
> # The ip_conntrack_ftp module recognizes the connection as RELATED to the
> # original outgoing connection to port 21 so we don't need NEW as a state
> match.
> #
> 
> iptables -A INPUT  -i $INET_IFACE -p tcp --sport 20 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o $INET_IFACE -p tcp --dport 20 -m state --state
> ESTABLISHED -j ACCEPT
> 
> #
> # 2) Passive ftp.
> # This involves a connection outbound from a port >1023 on the local
> machine,
> # to a port >1023 on the remote machine previously passed over the ftp
> channel
> # via a PORT command. The ip_conntrack_ftp module recognizes the connection
> as
> # RELATED to the original outgoing connection to port 21 so we don't need
> NEW
> # as a state match.
> #
> 
> iptables -A INPUT  -i $INET_IFACE -p tcp --sport $UP_PORTS --dport
> $UP_PORTS -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o $INET_IFACE -p tcp --sport $UP_PORTS --dport
> $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> Yet I can not get the FTP to pass through the router. What am I missing?
---
ip_nat_ftp ?

modprobe ip_nat_ftp

that is assuming that other masquerading (i.e. http etc. is working)

Craig

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change  you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss