[ILUG] iptables and FTP
Reilly, John
John at xelector.com
Fri Mar 8 13:58:24 GMT 2002
>
> Now it was my understanding that iptables was a connection tracking or
> stateful firewall and that thus FTP masquerading worked quite
> nicely, but
> I'm having problems. From a 'doze client usgin command line
> FTP or IE5 I can
> connect to an FTP server but I can't build up a data connection.
>
> The iptables documentation is nearly silent on the matter,
> saying only that
> NATing FTP should work if you have the ip_conntrack_ftp and ip_nat_ftp
> modules loaded, which I do.
>
> All assistance greatefully received.
>
The following works for me in RedHat /etc/sysconfig/iptables
In the filter table add the following:
# Allow ftp outbound
-A INPUT -i eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
# Active ftp
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# Passive ftp
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state
--state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state
--state RELATED,ESTABLISHED -j ACCEPT
The first two deal with port 21, then the following two deal with the
ftp-data port. Next two lines to do passive ftp.
The above is the format understood by iptables-restore
Cheers
jr
PS: Hopefully I've read this one right..
More information about the ILUG
mailing list