RE: FTP and IPTABLES Question

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MCraig White at <-
M 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: David Demland
Date:  
To: plug-discuss
Subject: RE: FTP and IPTABLES Question
That worked. Thank You.

David

-----Original Message-----
From:
[mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Craig
White
Sent: Friday, April 09, 2004 10:51 AM
To:
Subject: Re: FTP and IPTABLES Question


On Fri, 2004-04-09 at 10:04, David Demland wrote:
> I have a Debian router that is running iptables. Whenever I use an FTP
> client from a system behind the router I get an invalid port error. When I
> use the FTP client on the router it works fine. This leads be to believe I
> do not have something passing through the router properly. I have looked
on
> the internet and found information about passing through passive and
active
> FTP using IPTABLES and I have modified by script by inserting the
following:
>
> #load any modules needed for connection tracking
> #allow passive ftp
> UP_PORTS="1024:65535"
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
> echo "Started Connection Tracking"
>
> ## FTP
> # Allow ftp outbound.
> #
>
> echo Setting up FTP Outbound....
> iptables -A INPUT -i $INET_IFACE -p tcp --sport 21 -m state --state
> ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o $INET_IFACE -p tcp --dport 21 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> #
> # Now for the connection tracking part of ftp. This is discussed more
> # completely in the section on connection tracking on
> # the page http://www.sns.ias.edu/~jns/security/iptables/
> # 1) Active ftp.
> # This involves a connection INbound from port 20 on the remote machine,
to
> a
> # local port passed over the ftp channel via a PORT command.
> # The ip_conntrack_ftp module recognizes the connection as RELATED to the
> # original outgoing connection to port 21 so we don't need NEW as a state
> match.
> #
>
> iptables -A INPUT -i $INET_IFACE -p tcp --sport 20 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o $INET_IFACE -p tcp --dport 20 -m state --state
> ESTABLISHED -j ACCEPT
>
> #
> # 2) Passive ftp.
> # This involves a connection outbound from a port >1023 on the local
> machine,
> # to a port >1023 on the remote machine previously passed over the ftp
> channel
> # via a PORT command. The ip_conntrack_ftp module recognizes the
connection
> as
> # RELATED to the original outgoing connection to port 21 so we don't need
> NEW
> # as a state match.
> #
>
> iptables -A INPUT -i $INET_IFACE -p tcp --sport $UP_PORTS --dport
> $UP_PORTS -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o $INET_IFACE -p tcp --sport $UP_PORTS --dport
> $UP_PORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Yet I can not get the FTP to pass through the router. What am I missing?
---
ip_nat_ftp ?

modprobe ip_nat_ftp

that is assuming that other masquerading (i.e. http etc. is working)

Craig

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: FTP and IPTABLES QuestionGoogle->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)