Re: passive ftp and file sharing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello

On Monday 09 June 2003 11:42, Leonardo Lombardo wrote:
> Hi all,
>
> a question for you: how can I set my iptables firewall so that natted
> lan users can use ftp in passive mode and have winmx, dc,
> audiogalaxy, .... blocked ? I've tried out all that scripts/lists of
> ip/... i've found on the net but nothing... the only way I found to
> block file sharing is to close all ports 800:65535 but this way
> passive ftp is blocked too.... :(( I'm a very beginner with iptables
> so please be patient...
You should use the nat- and conntrack modules for ftp. Not 100% sure of 
the names (ip_nat_ftp ip_conntrack_ftp). Then add a rule which allows 
related and established traffic (iptables -A FORWARD -m --state 
RELATED,ESTABLISHED -j ACCEPT). It is important that this rule comes 
before the rule blocking ports 800:65535. Use iptables -I ... if 
unsure. If the control connection for ftp is done on port 21 passive 
and active ftp should work then. 

greetings 
	Axel



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux