Hi There are 2 kinds of ftp, viz. passive and active. You only cater for one. See this link for the details: http://slacksite.com/other/ftp.html Regards Ray On Fri, 2007-03-30 at 14:15 +0200, spaminator@xxxxxx wrote: > Hi there, > > I'm experiencing a strange problem when trying to FTP through a firewalling bridge. > > My FTP client connects to the FTP server ok. But when the client switches to passive mode to get the directory's file list I get > > stuck. > > The bridge is running on a Debian Sarge box with kernel 2.6.8-3, iptables 1.2.11-10 and bridge-utils 1.0.4-1. The bridge is built from the physical devices eth0 and eth1. > > The bridge is assigned an IP address too to be able to manage it remotely. Hence the INPUT and OUTPUT rules in my /etc/firewall.up.rules. As far as I understood, iptables only uses the FORWARD chain for the bridged packets. > > Here is my /etc/firewall.up.rules: > # > # is invoked by /etc/network/interfaces as pre-up for br0 > # > *filter > # > :INPUT DROP [0:0] > # some input rules > # > :FORWARD DROP [0:0] > -A FORWARD -m state --state INVALID -j DROP > -A FORWARD -p icmp -j ACCEPT > # client to server > -A FORWARD -p tcp -s ! 217.17.69.18/255.255.255.224 --sport 1024:65535 \ > -d 217.17.69.18/255.255.255.224 --dport 21 \ > -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -p tcp -s ! 217.17.69.18/255.255.255.224 --sport 1024:65535 \ > -d 217.17.69.18/255.255.255.224 --dport 1024:65535 \ > -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > # server to client > -A FORWARD -p tcp -s 217.17.69.18/255.255.255.224 --sport 21 \ > -d ! 217.17.69.18/255.255.255.224 --dport 1024:65535 \ > -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -p tcp -s 212.117.69.128/255.255.255.224 --sport 1024:65535 \ > -d ! 217.17.69.18/255.255.255.224 --dport 1024:65535 \ > -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > # logging > -A FORWARD -j ULOG --ulog-nlgroup 1 > # > :OUTPUT DROP [0:0] > # some output rules > # > COMMIT > # > > > These are all rules in the FORWARD chain. Using "! --syn" or "-m state --state RELATED,ESTABLISHED" instead of "-m conntrack --ctstate RELATED,ESTABLISHED" leads to the same result: > > When I look into the logfile I find an entry where my client:somehighport tries to tcp the server:somehighport. To me it looks like the client seems to want to establish a data-connection and iptables does not recognize these packet as RELATED or ESTABLISHED. > > Just for the crack of it I temporarily added NEW to the second "client to server"-rule. With that it works fine, but leaves the boxes behind the bridge open for any attack on the high ports. > > http, https or anything else is working properly, if I implement them in the FORWARD chain. > > Any suggestions out there? > > bye and TIA > Jo > > > > > _______________________________________________________________ > SMS schreiben mit WEB.DE FreeMail - einfach, schnell und > kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 > > > > -- Raymond Leach RCHQ Hobbies (http://www.rchq.co.za/) (T)+27-82-575-6975 (F)+27-86-652-2773
