> Hi all, > > I a trying to initiate ftp connections to some of my servers but it > doesn't work. You can find below a schema representing my three > machines, client, firewall and ftp server. There is no NAT at the moment > and the script I use on my firewall. > > --- > > ftp server eth1 fw eth0 client > 192.168.125.1 192.168.125.240 192.168.124.240 192.168.124.1 > > --- > > #!/bin/sh > # > > fw="/sbin/iptables" > nat="$fw -t nat" > mangle="$fw -t mangle" > > CONN_TRACK="1" # Connection Tracking > UNPRIVPORTS="1024:65535" # unprivileged port range > > # Remove any existing rules from all chains > $fw --flush > $nat --flush > $mangle --flush > > # Unlimited traffic on the loopback interface > $fw -A INPUT -i lo -j ACCEPT > $fw -A OUTPUT -o lo -j ACCEPT > > # Set the default policy to drop > $fw --policy INPUT DROP > $fw --policy OUTPUT DROP > $fw --policy FORWARD DROP > > $nat --policy PREROUTING DROP > $nat --policy OUTPUT DROP > $nat --policy POSTROUTING DROP > > $mangle --policy PREROUTING DROP > $mangle --policy OUTPUT DROP > > # Remove any pre-existing user-defined chains > $fw --delete-chain > $nat --delete-chain > $mangle --delete-chain > > if [ "$CONN_TRACK" = "1" ]; then > $fw -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $fw -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $fw -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > fi > > # Incoming FTP requests > iptables -A FORWARD -i eth0 -o eth1 -p tcp -s 192.168.124.1 --sport > $UNPRIVPORTS -d 192.168.125.1 --dport 21 -m state --state NEW -j ACCEPT > > # Port Mode Data Channel Responses > iptables -A FORWARD -i eth1 -o eth0 -p tcp -d 192.168.124.1 --sport 20 > --dport $UNPRIVPORTS -m state --state NEW -j ACCEPT > > Thanks to help me ... > Vincent if the client is running a passive FTP client--you need to have the FTP connection tracking module loaded for those connections to be considered RELATED: # modprobe ip_conntrack_ftp -j
