Thanks Jorg,
How to find out if ftp-module is loaded or
not.
Thanks
Varun
----- Original Message -----
From: Jörg Harmuth <harmuth@xxxxxxxxx>
Date: Monday, August 15, 2005 2:43 pm
Subject: Re: ftp issue cont.
> Derick Anderson schrieb:
> > FTP passive mode creates an entirely new connection for data
> transfer.> It is not 'related' to the original connection and so
> iptables doesn't
> > pick it up as such (nor do any other stateful firewalls that I'm
> aware> of).
>
> No, not really. Iptables regards FTP data traffic as related stuff. To
> be more exactly, the respective helper module does so
> (ip_conntrack_ftp.[k]o). So, normally all you have to do, is load this
> module, allow ESTABLISHED,RELATED traffic in and out and allow FTP in.
> This looks something like this (assumed that policies are DROP and
> OUTPUT is ACCEPT and also assumed that the box is directly
> connected to
> the internet and that the FTP server is on the firewall box):
>
> modprobe ip_conntrack_ftp.[k]o
>
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT
>
> This will work for active and passive FTP. If the ftp-module isn't on
> the system in question, varun_saa has to configure the kernel
> correctlyand recompile as needed.
>
> BTW, the original ruleset didn't explain anything. IN|OUTPUT == ACCEPT
> and in FORWARD no rule concerning FTP. So, what is this guy doing ? If
> the FTP server is on the firewall box, there is no iptables problem at
> all (on this box). If not, there are no rules that permit FTP and thus
> it cannot work. The whole thing looks quite mysterious to me,
> includingthe -P issue Rob mentioned. May be a tiny ASCII art
> network picture
> would clarify the situation :)
>
> Have a nice time,
>
> Joerg
>
>
>
>
