Hi! If I have the ftp connection tracking module compiled in, how do I match ftp packets (I know ftp connections are tracked, but I want to match it to count the traffic / shape it, etc) You can obviously match active and passive ftp traffic as follows: iptables -A FORWARD -s $net -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED iptables -A FORWARD -d $net -p tcp --sport 21 -m state --state ESTABLISHED,RELATED and for active ftp: iptables -A FORWARD -s $net -p tcp --dport 20 -m state --state ESTABLISHED iptables -A FORWARD -d $net -p tcp --sport 20 -m state --state ESTABLISHED,RELATED and for passive ftp: iptables -A FORWARD -s $net -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED iptables -A FORWARD -d $net -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED where $net is the network which is making the connection. The problem is that the passive ftp rules will also match traffic from other protocols which uses ports higher than 1024. Is there no way I can match traffic which is matched by a certain connection tracking module (and only that module), e.g. iptables -A FORWARD -s $net -m conntrack --proto ftp iptables -A FORWARD -s $net -m conntrack --proto irc iptables -A FORWARD -s $net -m conntrack --proto h323 etc. -- Regards Abraham I'm having BEAUTIFUL THOUGHTS about the INSIPID WIVES of smug and wealthy CORPORATE LAWYERS ... ___________________________________________________ Abraham vd Merwe - Frogfoot Networks CC 9 Kinnaird Court, 33 Main Street, Newlands, 7700 Phone: +27 21 686 1674 Cell: +27 82 565 4451 Http: http://www.frogfoot.net/ Email: abz@xxxxxxxxxxxx
Attachment:
pgp00111.pgp
Description: PGP signature
