Thursday, September 01, 2005

Re: rules for FTP access

> but, once I have loaded contrack ftp modules and I want to permit ftp
> client connections from my private subnet, which is behind eth1, to
> Internet through eth0, I should do:
>
> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 20:21 -j ACCEPT

Yes, that should work. But as others have pointed out, this is good for
passive FTP-connections only, if your clients want to use active FTP, you
need connection tracking (look for a kernel module ip_conntrack_ftp).
In most cases, it's far easier and secure to configure your clients to use
pasive mode than to fiddle with conntrack, many clients work passive by
default.

Active FTP vs. Passive FTP, a Definitive Explanation:
http://slacksite.com/other/ftp.html

Consider using REJECT instead of DROP as target, this way you can save
FTP-servers (and thus your clients) a lot of time if they'd accidentally use
active mode. If you DROP the packets, they would spend a lot of time waiting
for timeouts.

--
Stephan

--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment