Saturday, September 01, 2007

Re: Iptables and FTP problem

thanks phil
But i think the port 20 is in RELATED state and no connection need to be
established. module ip_conntrack_ftp must correct this problem.
And i also read previous posts in this mailing-list, but can't solve problem.
My debian server wants connect to other FTP servers (OUTSIDE) only in
PASSIVE mode only and only !!!!!!!! and while(when) i forward client's
sport 1024:65535 to server's dport 1024:65535 the problem was solved, but
i can't open these port and forwrad them. i want only Active mode(Standard
mode)

My NAT(PREROUTING) and Filter table default Policy is DROP.

thanx
On Sat, September 1, 2007 19:42, Phil Dyer wrote:
> you need to allow port 20 for the data connection.
>
> phil
>
>
> On 9/1/2007 4:52 AM, Mahdi Rahimi wrote:
>
>> hello I have problem in our clients's outside ftp access via debian.
>> My LAN users can't start data transfer to outside FTP servers, but they
>> can establish connection to port 21 on the outside ftp server.
>>
>> I want to my LAN users use ftp clinets in ACTIVE mode.
>> my rules:
>>
>> ***nat
>> -A PREROUTING -i $LAN -s 192.168.1.0/26 -p tcp -m multiport --dport 21
>> -j
>> ACCEPT
>> -A POSTROUTING -s 192.168.1.0/26 -d 0/0 -o eth1 -j MASQUERADE
>>
>>
>> ***filter
>> -A FORWARD -i $LAN -o $EXT -s 192.168.1.0/26 -p tcp --dport 21 -m state
>> --state NEW,ESTABLISHED,RELATED -j ACCEPT
>> -A FORWARD -i $EXT -o $LAN -p tcp --sport 21 -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>>
>>
>> *************
>> modprobe ip_conntrack_ftp , ip_conntrack, ip_nat_ftp
>>
>>
>>
>>
>>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>


-------------------------
rahimi{at}eaedu.net
rahimi_m{at}cse.shirazu.ac.ir


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment