--- Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Fri, 18 Jun 2004, Sagara Wijetunga wrote: > > > Today I upgraded the Linux kernel to 2.6.7. > > > > Applied following patches of the > > patch-o-matic-ng-20040302: > > init_conntrack-optimize NETMAP SAME TTL connlimit > > fuzzy iprange ipv4options mport raw CLASSIFY > addrtype > > childlevel owner-socketlookup > > > > Compiled in all netfiter options to the kernel. > > Could you post the output of > > grep IP_NF_ .config > cd /usr/src/linux-2.6.7 grep IP_NF_ .config CONFIG_IP_NF_CONNTRACK=y CONFIG_IP_NF_FTP=y CONFIG_IP_NF_IRC=y CONFIG_IP_NF_TFTP=y # CONFIG_IP_NF_AMANDA is not set CONFIG_IP_NF_QUEUE=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_MATCH_LIMIT=y CONFIG_IP_NF_MATCH_IPRANGE=y CONFIG_IP_NF_MATCH_MAC=y CONFIG_IP_NF_MATCH_PKTTYPE=y CONFIG_IP_NF_MATCH_MARK=y CONFIG_IP_NF_MATCH_MULTIPORT=y CONFIG_IP_NF_MATCH_TOS=y CONFIG_IP_NF_MATCH_RECENT=y CONFIG_IP_NF_MATCH_ECN=y CONFIG_IP_NF_MATCH_DSCP=y CONFIG_IP_NF_MATCH_AH_ESP=y CONFIG_IP_NF_MATCH_LENGTH=y CONFIG_IP_NF_MATCH_TTL=y CONFIG_IP_NF_MATCH_TCPMSS=y CONFIG_IP_NF_MATCH_HELPER=y CONFIG_IP_NF_MATCH_STATE=y CONFIG_IP_NF_MATCH_CONNTRACK=y CONFIG_IP_NF_MATCH_OWNER=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_NAT=y CONFIG_IP_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=y CONFIG_IP_NF_TARGET_REDIRECT=y CONFIG_IP_NF_TARGET_NETMAP=y CONFIG_IP_NF_TARGET_SAME=y # CONFIG_IP_NF_NAT_LOCAL is not set # CONFIG_IP_NF_NAT_SNMP_BASIC is not set CONFIG_IP_NF_NAT_IRC=y CONFIG_IP_NF_NAT_FTP=y CONFIG_IP_NF_NAT_TFTP=y CONFIG_IP_NF_MANGLE=y CONFIG_IP_NF_TARGET_TOS=y CONFIG_IP_NF_TARGET_ECN=y CONFIG_IP_NF_TARGET_DSCP=y CONFIG_IP_NF_TARGET_MARK=y CONFIG_IP_NF_TARGET_CLASSIFY=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_TARGET_ULOG=y CONFIG_IP_NF_TARGET_TCPMSS=y CONFIG_IP_NF_ARPTABLES=y CONFIG_IP_NF_ARPFILTER=y CONFIG_IP_NF_ARP_MANGLE=y CONFIG_IP_NF_TARGET_NOTRACK=y CONFIG_IP_NF_RAW=y CONFIG_IP_NF_TARGET_TTL=y CONFIG_IP_NF_MATCH_CONNLIMIT=y CONFIG_IP_NF_MATCH_FUZZY=y CONFIG_IP_NF_MATCH_IPV4OPTIONS=y CONFIG_IP_NF_MATCH_MPORT=y CONFIG_IP_NF_MATCH_ADDRTYPE=y The iptables-1.2.10 was compiled and installed as follows: CC="gcc -D__user= " export CC make BINDIR=/sbin LIBDIR=/lib \ MANDIR=/usr/share/man KERNEL_DIR=/usr/src/linux-2.6.7 >& iptables-make.log make BINDIR=/sbin LIBDIR=/lib \ MANDIR=/usr/share/man install KERNEL_DIR=/usr/src/linux-2.6.7 >& iptables-install.log /sbin/ldconfig > > After the server is booted with the new kernel, I > > recompiled and reinstalled the iptables. > > > > But my problem is still the same. The ?-m state > > --state ESTABLISHED? works well, but the ?-m state > > --state RELATED? does not work at all for FTP data > > connections. What have I missed? > > You should post the complete list of your rules in > all of the tables. > /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -A INPUT -m state --state INVALID -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 21 --tcp-flags ACK,PSH,URGP ACK,PSH -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN,ACK -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags RST,ACK RST,ACK -j DROP /sbin/iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 22 --syn -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 25 --syn -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 53 --syn -j ACCEPT /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 80 --syn -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 110 --syn -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 143 --syn -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 443 --syn -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 465 --syn -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 993 --syn -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 995 --syn -j ACCEPT /sbin/iptables -A INPUT -m limit --limit 1/s -j LOG --log-prefix 'INPUT PKT DROPPED: ' /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 53 --syn -j ACCEPT /sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 25 --syn -j ACCEPT /sbin/iptables -A OUTPUT -m limit --limit 1/s -j LOG --log-prefix 'OUTPUT PKT DROPPED: ' Please let me know if you require any further info in this regard. Sagara __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail
