Search This Blog

Thursday, September 01, 2005

Re: rules for FTP access

Ansgar -59cobalt- Wiechers wrote:

>> On 2005-09-01 Stephan Balmer wrote:
>>
>
>>>>>>but, once I have loaded contrack ftp modules and I want to permit ftp
>>>>>>client connections from my private subnet, which is behind eth1, to
>>>>>>Internet through eth0, I should do:
>>>>>>
>>>>>>iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 20:21 -j ACCEPT
>>
>>>>
>>>>Yes, that should work.
>
>>
>>
>> No. He would need either
>>
>> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
>> iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 20 -j ACCEPT
>>
>> or
>>
>> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT
>> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 1024: -j ACCEPT
>>
>> The former is for active FTP, the latter for passive FTP. I *strongly*
>> recommend avoiding both and use connection tracking instead.
>>
>>
>
>>>>But as others have pointed out, this is good for passive FTP-
>>>>connections only, if your clients want to use active FTP, you need
>>>>connection tracking (look for a kernel module ip_conntrack_ftp).
>
>>
>>
>> Wrong. Port 20/tcp on the server is *only* needed for *active* FTP (and
>> would then have to be a --sport anyway, since the server initiates the
>> data connection). Passive FTP uses TCP ports above 1023 for the data
>> connection, which is initiated by the client. However, with connection
>> tracking enabled,

thus, if I understand right, it is enought that I include the lines
below in my iptables script:

$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -m state --state
NEW -j ACCEPT

thank you very much, fabrizio.

you only need to allow 21/tcp for either active and

>> passive FTP, since the data connection will be RELATED to the already
>> ESTABLISHED control connection.
>>
>>
>
>>>>In most cases, it's far easier and secure to configure your clients to
>>>>use pasive mode than to fiddle with conntrack, many clients work
>>>>passive by default.
>
>>
>>
>> Without connection tracking that'll work only if you allowed outbound
>> connections to non-privileged ports.
>>
>>
>
>>>>Active FTP vs. Passive FTP, a Definitive Explanation:
>>>>http://slacksite.com/other/ftp.html
>
>>
>>
>> May I suggest you re-read that page yourself?
>>
>> Regards
>> Ansgar Wiechers

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Posted by at

2 comments:

Anonymous said...

I wish not approve on it. I over precise post. Specially the title-deed attracted me to be familiar with the sound story.

5:59 PM
Anonymous said...

Nice fill someone in on and this post helped me alot in my college assignement. Thanks you on your information.

2:01 PM

Post a Comment

Subscribe to: Post Comments (Atom)