Hi,
Still fighting my way through the jungle that is called iptables.
I have managed to allow FTP access outside of our LAN: both these would work. NOTE: eth0 is the LAN interface and eth1 is the WAN interface.
iptables -t filter -A FORWARD -i eth0 -p tcp --dport 20:21 -j ACCEPT
or
iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 20:21 --dport 1024:65535 -j ACCEPT
But when i connect to a external FTP server i manage to log in and all is fine until it wishes to List the directory content. Then nothing happens as the data is blocked, due to the fact that i do not have a rule set up to allow it! (my last rule on the FORWARD chain is to block all traffic)
I have tried a gazillion rules (many of which i did not understand) to try and allow the FTP traffic back through my server. One such rule for example was:
iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 20:21 --dport 1024:65535 -j ACCEPT
But i cannot get the List to work. It just times out after a while.
Would anyone perhaps know how to build a rule which would allow FTP to List / allow such traffic back? Or have a link to sources i could work through?
Thank you,
-
Your example looks ok for Active FTP connections but in passive mode the FTP server's replies wont be coming from port 20/21 anymore hence the --sport 20:21 wont match. Have you tried this in both active and passive mode? What were the results?
Do you have rules set up to forward already established connections? Iptables has ftp modules I believe that understand the connections and will open up the new ports properly for passive FTP connections.
Check here for more details:
Ative vs Passive FTP Connections
Ignacio Vazquez-Abrams : The module is called `nf_conntrack_ftp` in recent versions of Linux.logansama : yes i do have my first FORWARD chain rule to forward established connections. I did think it may be a port issue on the returning traffic. Thank your for the info! looking into it now. :)From bot403
0 comments:
Post a Comment