Ansgar -59cobalt- Wiechers wrote: >> On 2005-09-01 Stephan Balmer wrote: >> > >>>>>>but, once I have loaded contrack ftp modules and I want to permit ftp >>>>>>client connections from my private subnet, which is behind eth1, to >>>>>>Internet through eth0, I should do: >>>>>> >>>>>>iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 20:21 -j ACCEPT >> >>>> >>>>Yes, that should work. > >> >> >> No. He would need either >> >> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT >> iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 20 -j ACCEPT >> >> or >> >> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT >> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 1024: -j ACCEPT >> >> The former is for active FTP, the latter for passive FTP. I *strongly* >> recommend avoiding both and use connection tracking instead. >> >> > >>>>But as others have pointed out, this is good for passive FTP- >>>>connections only, if your clients want to use active FTP, you need >>>>connection tracking (look for a kernel module ip_conntrack_ftp). > >> >> >> Wrong. Port 20/tcp on the server is *only* needed for *active* FTP (and >> would then have to be a --sport anyway, since the server initiates the >> data connection). Passive FTP uses TCP ports above 1023 for the data >> connection, which is initiated by the client. However, with connection >> tracking enabled,
thus, if I understand right, it is enought that I include the lines below in my iptables script: $MODPROBE ip_conntrack_ftp $MODPROBE ip_nat_ftp iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -m state --state NEW -j ACCEPT thank you very much, fabrizio. you only need to allow 21/tcp for either active and >> passive FTP, since the data connection will be RELATED to the already >> ESTABLISHED control connection. >> >> > >>>>In most cases, it's far easier and secure to configure your clients to >>>>use pasive mode than to fiddle with conntrack, many clients work >>>>passive by default. > >> >> >> Without connection tracking that'll work only if you allowed outbound >> connections to non-privileged ports. >> >> > >>>>Active FTP vs. Passive FTP, a Definitive Explanation: >>>>http://slacksite.com/other/ftp.html > >> >> >> May I suggest you re-read that page yourself? >> >> Regards >> Ansgar Wiechers -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
