ftp issue cont.

varun_saa at vsnl.net varun_saa at vsnl.net
Tue Aug 16 06:13:38 CEST 2005


Thanks Jorg, 
           I get the following for lsmod : 
 
[root at squidserver ~]# lsmod | grep conntrack 
ip_conntrack           41497  3 ipt_state,ipt_MASQUERADE,iptable_nat 
 
So how do I add : 
  
           ip_conntrack_ftp         
           ipt_conntrack     
 
And yes it is : 
               -A FORWARD -j DROP 
 
Thanks again 
 
Varun 
            
 
 
 
 
----- Original Message ----- 
From: Jörg Harmuth <harmuth at mnemon.de> 
Date: Monday, August 15, 2005 4:29 pm 
Subject: Re: ftp issue cont. 
 
> varun_saa at vsnl.net schrieb: 
> > Thanks Jorg,   
> >             How to find out if ftp-module is loaded or   
> > not.   
>  
> e.g. 
>  
> lsmod | grep conntrack 
>  
> gives on my box: 
>  
> ip_conntrack_ftp        3680   0  (unused) 
> ipt_conntrack           1120   0  (autoclean) 
> ip_conntrack           26484   1  (autoclean) [ip_conntrack_ftp ... 
>  
> >    
> > Thanks   
> >    
> > Varun   
> >    
> > ----- Original Message -----   
> > From: Jörg Harmuth <harmuth at mnemon.de>   
> > Date: Monday, August 15, 2005 2:43 pm   
> > Subject: Re: ftp issue cont.   
> >    
> >  
> >>Derick Anderson schrieb:   
> >> 
> >>>FTP passive mode creates an entirely new connection for data    
> >> 
> >>transfer.> It is not 'related' to the original connection and so   
>  
> >>iptables doesn't   
> >> 
> >>>pick it up as such (nor do any other stateful firewalls that I'm  
>   
> >> 
> >>aware> of).    
> >>   
> >>No, not really. Iptables regards FTP data traffic as related  
> stuff. To   
> >>be more exactly, the respective helper module does so   
> >>(ip_conntrack_ftp.[k]o). So, normally all you have to do, is load  
> this   
> >>module, allow ESTABLISHED,RELATED traffic in and out and allow  
> FTP in.   
> >>This looks something like this (assumed that policies are DROP  
> and   
> >>OUTPUT is ACCEPT and also assumed that the box is directly    
> >>connected to   
> >>the internet and that the FTP server is on the firewall box):   
> >>   
> >>modprobe ip_conntrack_ftp.[k]o   
> >>   
> >>iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT   
> >>iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT   
> >>   
> >>This will work for active and passive FTP. If the ftp-module  
> isn't on   
> >>the system in question, varun_saa has to configure the kernel    
> >>correctlyand recompile as needed.   
> >>   
> >>BTW, the original ruleset didn't explain anything. IN|OUTPUT ==  
> ACCEPT   
> >>and in FORWARD no rule concerning FTP. So, what is this guy doing  
> ? If   
> >>the FTP server is on the firewall box, there is no iptables  
> problem at   
> >>all (on this box). If not, there are no rules that permit FTP and  
> thus   
> >>it cannot work. The whole thing looks quite mysterious to me,    
> >>includingthe -P issue Rob mentioned. May be a tiny ASCII art    
> >>network picture   
> >>would clarify the situation :)   
> >>   
> >>Have a nice time,   
> >>   
> >>Joerg   
> >>   
> >>   
> >>   
> >>   
> >  
> >  
> >  
> > !DSPAM:430073677568926616419! 
>  
>  




More information about the netfilter mailing list