Re: FTP port mode, client and server behind iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mart Frauenlob wrote:
Gary Smith wrote:
As per the subject, I have a proftp server running behind iptables. I'm NAT'ing in the entire IP to the ftp server. I have the following rules in place on the server (where eth0 is internal, eth1 is external):
*nat
-A PREROUTING -d x.x.x.x -p tcp -m tcp -j DNAT --to-destination 10.20.0.12
*filter
-A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp --dport 1025:65535 -j ACCEPT

-A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp -m multiport --dports 80,443,21,20,22 -j ACCEPT -A FORWARD -j LOG --log-prefix "FW-F: " -A FORWARD -i eth1 -j REJECT --reject-with icmp-port-unreachable
ip_conntrack_ftp and ip_nat_ftp are loaded

On the client side (where eth0 is internal, eth1 is external), -A FORWARD -I eth0 -j ACCEPT -A FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT -A FORWARD -j LOG --log-prefix "FW-F: " -A FORWARD -i eth1 -j REJECT --reject-with icmp-port-unreachable
ip_conntrack_ftp and ip_nat_ftp are loaded

I'm not seeing any hits in the log file (which logs on each chain before reject).

Anyway, what am I missing for PORT mode for FTP. The windows command line users seem to be the only ones affected by this (as pretty much everything else allows passive).


Port mode does not exist, there are passive and active mode in FTP, both use ports, but different ones....

Any ideas?

Umm, quite some... my proposal:

# allow all established and related (most expected hits -> rule placed first)
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# allow ftp: only for host or globally
-A FORWARD -i eth0 -d 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
-A FORWARD -i eth1 -s 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
--or more global: -A FORWARD -m helper --helper "ftp" -j ACCEPT

sorry, i mixed up internal and external interface.
-A FORWARD -i eth1 -d 10.20.0.12 -m helper --helper "ftp" -j ACCEPT
-A FORWARD -i eth0 -s 10.20.0.12 -m helper --helper "ftp" -j ACCEPT

# allow connection openings (last rule as not more than a few packets per connection are state NEW) -A FORWARD -d 10.20.0.12 -i eth1 -p tcp -m tcp -m multiport --dports 80,443,21,22 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth1 -j REJECT.......
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux