Re: ftp and iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Thursday 22 January 2009 17:28, Agile Aspect wrote:

>  Regarding item (2), I would guess I would have to add the following
> entries:
> 
>  Active:
>  ---------
>
>  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20
>  --sport 40000:60000 -j ACCEPT
>  -A OUTPUT -p tcp -m tcp --sport 20 --dport 40000:60000 -j ACCEPT

All FTP connecting begin with port 21.  Port 20 is a DATA connection.  
ip_conntrack_ftp will track connection needing the Data port open.

>  Passive:
>  ----------
>  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
>  40000:60000 --sport 40000:60000 -j ACCEPT
>  -A OUTPUT -p tcp -m tcp --sport 40000:60000 --dport 40000:60000 -j ACCEPT

Do you have a rule like this:

-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT

If not you should place this in your rules.  This rule eleminates the need to 
continuesly add rules to allow out going connection for allowed incoming 
connection.

If you do then you should not need the OUTPUT rules you listed above.


-- 

Regards
Robert

Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux