ftp issue cont.

R. DuFresne dufresne at sysinfo.com
Wed Aug 17 00:06:12 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



A good place to start might be man lsmod

Thanks,

Ron DuFresne

On Tue, 16 Aug 2005 varun_saa at vsnl.net wrote:

> Thanks Jorg,
>           I get the following for lsmod :
>
> [root at squidserver ~]# lsmod | grep conntrack
> ip_conntrack           41497  3 ipt_state,ipt_MASQUERADE,iptable_nat
>
> So how do I add :
>
>           ip_conntrack_ftp
>           ipt_conntrack
>
> And yes it is :
>               -A FORWARD -j DROP
>
> Thanks again
>
> Varun
>
>
>
>
>
> ----- Original Message -----
> From: Jörg Harmuth <harmuth at mnemon.de>
> Date: Monday, August 15, 2005 4:29 pm
> Subject: Re: ftp issue cont.
>
>> varun_saa at vsnl.net schrieb:
>>> Thanks Jorg,
>>>             How to find out if ftp-module is loaded or
>>> not.
>>
>> e.g.
>>
>> lsmod | grep conntrack
>>
>> gives on my box:
>>
>> ip_conntrack_ftp        3680   0  (unused)
>> ipt_conntrack           1120   0  (autoclean)
>> ip_conntrack           26484   1  (autoclean) [ip_conntrack_ftp ...
>>
>>>
>>> Thanks
>>>
>>> Varun
>>>
>>> ----- Original Message -----
>>> From: Jörg Harmuth <harmuth at mnemon.de>
>>> Date: Monday, August 15, 2005 2:43 pm
>>> Subject: Re: ftp issue cont.
>>>
>>>
>>>> Derick Anderson schrieb:
>>>>
>>>>> FTP passive mode creates an entirely new connection for data
>>>>
>>>> transfer.> It is not 'related' to the original connection and so
>>
>>>> iptables doesn't
>>>>
>>>>> pick it up as such (nor do any other stateful firewalls that I'm
>>
>>>>
>>>> aware> of).
>>>>
>>>> No, not really. Iptables regards FTP data traffic as related
>> stuff. To
>>>> be more exactly, the respective helper module does so
>>>> (ip_conntrack_ftp.[k]o). So, normally all you have to do, is load
>> this
>>>> module, allow ESTABLISHED,RELATED traffic in and out and allow
>> FTP in.
>>>> This looks something like this (assumed that policies are DROP
>> and
>>>> OUTPUT is ACCEPT and also assumed that the box is directly
>>>> connected to
>>>> the internet and that the FTP server is on the firewall box):
>>>>
>>>> modprobe ip_conntrack_ftp.[k]o
>>>>
>>>> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>> iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT
>>>>
>>>> This will work for active and passive FTP. If the ftp-module
>> isn't on
>>>> the system in question, varun_saa has to configure the kernel
>>>> correctlyand recompile as needed.
>>>>
>>>> BTW, the original ruleset didn't explain anything. IN|OUTPUT ==
>> ACCEPT
>>>> and in FORWARD no rule concerning FTP. So, what is this guy doing
>> ? If
>>>> the FTP server is on the firewall box, there is no iptables
>> problem at
>>>> all (on this box). If not, there are no rules that permit FTP and
>> thus
>>>> it cannot work. The whole thing looks quite mysterious to me,
>>>> includingthe -P issue Rob mentioned. May be a tiny ASCII art
>>>> network picture
>>>> would clarify the situation :)
>>>>
>>>> Have a nice time,
>>>>
>>>> Joerg
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> !DSPAM:430073677568926616419!
>>
>>
>
>
>

- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFDAmNYst+vzJSwZikRAokXAJ47aeytIFGoZOoWdxPPTbkz3U587QCgwpN5
GS3EPRxQi7Jf/t+dC/1UhDk=
=GPSL
-----END PGP SIGNATURE-----


More information about the netfilter mailing list