ftp issue cont.
varun_saa at vsnl.net
varun_saa at vsnl.net
Tue Aug 16 06:13:38 CEST 2005
I get the following for lsmod :
[root at squidserver ~]# lsmod | grep conntrack
ip_conntrack 41497 3 ipt_state,ipt_MASQUERADE,iptable_nat
So how do I add :
And yes it is :
-A FORWARD -j DROP
----- Original Message -----
From: Jörg Harmuth <harmuth at mnemon.de>
Date: Monday, August 15, 2005 4:29 pm
Subject: Re: ftp issue cont.
> varun_saa at vsnl.net schrieb:
> > Thanks Jorg,
> > How to find out if ftp-module is loaded or
> > not.
> lsmod | grep conntrack
> gives on my box:
> ip_conntrack_ftp 3680 0 (unused)
> ipt_conntrack 1120 0 (autoclean)
> ip_conntrack 26484 1 (autoclean) [ip_conntrack_ftp ...
> > Thanks
> > Varun
> > ----- Original Message -----
> > From: Jörg Harmuth <harmuth at mnemon.de>
> > Date: Monday, August 15, 2005 2:43 pm
> > Subject: Re: ftp issue cont.
> >>Derick Anderson schrieb:
> >>>FTP passive mode creates an entirely new connection for data
> >>transfer.> It is not 'related' to the original connection and so
> >>iptables doesn't
> >>>pick it up as such (nor do any other stateful firewalls that I'm
> >>aware> of).
> >>No, not really. Iptables regards FTP data traffic as related
> stuff. To
> >>be more exactly, the respective helper module does so
> >>(ip_conntrack_ftp.[k]o). So, normally all you have to do, is load
> >>module, allow ESTABLISHED,RELATED traffic in and out and allow
> FTP in.
> >>This looks something like this (assumed that policies are DROP
> >>OUTPUT is ACCEPT and also assumed that the box is directly
> >>connected to
> >>the internet and that the FTP server is on the firewall box):
> >>modprobe ip_conntrack_ftp.[k]o
> >>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >>iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT
> >>This will work for active and passive FTP. If the ftp-module
> isn't on
> >>the system in question, varun_saa has to configure the kernel
> >>correctlyand recompile as needed.
> >>BTW, the original ruleset didn't explain anything. IN|OUTPUT ==
> >>and in FORWARD no rule concerning FTP. So, what is this guy doing
> ? If
> >>the FTP server is on the firewall box, there is no iptables
> problem at
> >>all (on this box). If not, there are no rules that permit FTP and
> >>it cannot work. The whole thing looks quite mysterious to me,
> >>includingthe -P issue Rob mentioned. May be a tiny ASCII art
> >>network picture
> >>would clarify the situation :)
> >>Have a nice time,
> > !DSPAM:430073677568926616419!
More information about the netfilter