> my Rules for passive FTP look like this and works without problem but i
> want to my LAN works in active ftp.
>
> ###control connection
> $IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport 21
> -m state --state NEW,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -s $EXT --sport 21 -d $LAN --dport 1024:65535
> -m state --state RELATED,ESTABLISHED -j ACCEPT
RELATED is not needed for the control connections.
> ###data connection
> $IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport
> 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A FORWARD -p tcp -s $EXT --sport 1024:65535 -d $LAN --dport
> 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
This is getting confusing. In your previous messages, $LAN and $EXT were
used in -i and -o options, meaning they contain interface names. Now
they are used in -s and -d options, meaning they contain addresses or
network address prefixes. So what are $LAN and $EXT ?
Assuming that $LAN and $EXT contain network prefixes (respectively
192.168.1.0/26 and 0.0.0.0/0 according to you previous messages), you
need to add the following rules in order to allow transfers in active mode :
$IPTABLES -A FORWARD -p tcp -s $EXT --sport 20 -d $LAN \
--dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT \
--dport 20 -m state --state ESTABLISHED -j ACCEPT
However I recommend filtering at least on the input interface and not
only on the source address, because the source address can be forged.
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment