Re: Help with ftp helper please

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 24.04.2010 18:48, Jeff Jensen wrote:
> Hello netfilter people,
> 
>    I have an email conversation from Jan 9, 2010 between
> mart.frauenlob@xxxxxxxxx and margoandtodd@xxxxxxxxx with the subject
> "passive mode ftp high ports driving me nuts". I have studied this
> intensely and found out about this "helper" thing.
> 
> On a test ubuntu 9.04 box I have these rules and nothing else plus I
> have added nf_conntrack_ipv4 and nf_conntrack_ftp to /etc/modules.
> 
> # Local host
> iptables -A INPUT  -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> # DNS
> iptables -A OUTPUT -o eth0 -p udp -m state --state NEW,ESTABLISHED
> --dport 53 -j ACCEPT
> iptables -A INPUT  -i eth0 -p udp -m state --state ESTABLISHED --sport
> 53 -j ACCEPT
> # FTP Helper Chain
> iptables -N FTPChn
> iptables -A FTPChn -j LOG --log-prefix "FTP "
> iptables -A FTPChn -j ACCEPT
> # FTP
> iptables -A OUTPUT -o eth0 -m helper --helper ftp -j FTPChn
> iptables -A INPUT  -i eth0 -m helper --helper ftp -j FTPChn
> iptables -A OUTPUT -o eth0 -p tcp -m state --state NEW --dport 21 -j FTPChn
> # Log All Else
> iptables -A INPUT   -j LOG --log-prefix "Filter Input   "
> iptables -A OUTPUT  -j LOG --log-prefix "Filter Output  "
> iptables -A FORWARD -j LOG --log-prefix "Filter Forward "
> # And Reject
> iptables -A INPUT   -j REJECT --reject-with icmp-host-prohibited
> iptables -A OUTPUT  -j REJECT --reject-with icmp-host-prohibited
> iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> 
> when I ftp to mirror.anl.gov this shows up in the log (trimmed for easy reading)
> 
> FTP            IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
> Filter Input   IN=eth0 OUT= SRC=146.137.96.15 DST=192.168.128.20
> PROTO=TCP SPT=21 DPT=36826 WINDOW=5792 ACK SYN URGP=0
> Filter Output  IN= OUT=eth0 SRC=192.168.128.20 DST=146.137.96.15
> PROTO=TCP SPT=36826 DPT=21 WINDOW=5840 SYN URGP=0
> 
> Any idea what I'm missing?
> 
> Thank you
> 
> Jeff
	
you don't allow sport 21 back incoming traffic.
btw: nf_nat_ftp is also loaded?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux