Search This Blog

Saturday, September 01, 2007

Re: Iptables and FTP problem

Hello,

Mahdi Rahimi a écrit :
>
> My NAT(PREROUTING) and Filter table default Policy is DROP.

Bad idea. The nat table is not intended for filtering. Just leave the
nat table chains default policies to ACCEPT, and do the filtering in the
filter table chains.

>>>hello I have problem in our clients's outside ftp access via debian.
>>>My LAN users can't start data transfer to outside FTP servers, but they
>>>can establish connection to port 21 on the outside ftp server.
>>>
>>>I want to my LAN users use ftp clinets in ACTIVE mode.
>>>my rules:
>>>
>>>***nat
>>>-A PREROUTING -i $LAN -s 192.168.1.0/26 -p tcp -m multiport --dport 21
>>>-j ACCEPT

As I said above, the nat table is not intended for filtering, and it is
a bad idea to filter in the nat table.

>>>-A POSTROUTING -s 192.168.1.0/26 -d 0/0 -o eth1 -j MASQUERADE
>>>
>>>***filter
>>>-A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state
>>>--state NEW,ESTABLISHED,RELATED -j ACCEPT
>>>-A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
>>>ESTABLISHED,RELATED -j ACCEPT
>>>
>>>*************
>>>modprobe ip_conntrack_ftp , ip_conntrack, ip_nat_ftp

In order for active FTP transfers to work, you need to :
- accept the control connection (port 21) NEW and ESTABLISHED packets
from inside to outside ; OK, done in the first rule in FORWARD ;
- accept the control connection ESTABLISHED packets from outside to
inside ; OK, done in the second FORWARD rule ;
- accept the data connection RELATED and ESTABLISHED packets from
outside to inside ; KO, not done in either rule ;
- accept the data connection (port != 21) ESTABLISHED packets from
inside to outside ; KO, not done in either rule.

The rule
-A FORWARD -i $EXT -o $LAN -m state --state ESTABLISHED,RELATED \
-p tcp -j ACCEPT

alone won't solve the problem because it accepts only data connection
packets from outside to inside ; packets from inside to outside are
still dropped. So you also need something like

-A FORWARD -o $EXT -i $LAN -m state --state ESTABLISHED \
-p tcp -j ACCEPT


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)