* Proper detection of FTP-DATA
@ 2005-12-06 14:48 Pieter De Wit
2005-12-06 15:09 ` Krzysztof Oledzki
0 siblings, 1 reply; 3+ messages in thread
From: Pieter De Wit @ 2005-12-06 14:48 UTC (permalink / raw)
To: netfilter-devel
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="us-ascii", Size: 641 bytes --]
Hello Guys,
How would you properly match FTP-DATA connections? I have tried the
following and after checking the man pages, this should work ?!?
iptables -A INPUT -p tcp -m tcp --dport=21 # For FTP-CTRL
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
Let's just say outbound is ACCEPT *
For passive FTP that should work, since the firewall (which is on the
FTP Server) can match that ? Or can it ?
Thanks,
Pieter
“This e-mail is sent on the Terms and Conditions that can be accessed by Clicking on this link http://www.vodacom.net/legal/email.aspx "
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Proper detection of FTP-DATA
2005-12-06 14:48 Proper detection of FTP-DATA Pieter De Wit
@ 2005-12-06 15:09 ` Krzysztof Oledzki
2006-01-03 7:08 ` Jan Engelhardt
0 siblings, 1 reply; 3+ messages in thread
From: Krzysztof Oledzki @ 2005-12-06 15:09 UTC (permalink / raw)
To: Pieter De Wit; +Cc: netfilter-devel
[-- Attachment #1: Type: TEXT/PLAIN, Size: 998 bytes --]
On Tue, 6 Dec 2005, Pieter De Wit wrote:
> Hello Guys,
>
> How would you properly match FTP-DATA connections? I have tried the
> following and after checking the man pages, this should work ?!?
>
> iptables -A INPUT -p tcp -m tcp --dport=21 # For FTP-CTRL
> iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -m state --state RELATED -j ACCEPT
>
> Let's just say outbound is ACCEPT *
>
> For passive FTP that should work, since the firewall (which is on the
> FTP Server) can match that ? Or can it ?
All you need is:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack -m helper --state RELATED --helper ftp -j ACCEPT
and:
modprobe ip_conntrack_ftp
You can also use less restricted version:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Best regards,
Krzysztof Olędzki
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Proper detection of FTP-DATA
2005-12-06 15:09 ` Krzysztof Oledzki
@ 2006-01-03 7:08 ` Jan Engelhardt
0 siblings, 0 replies; 3+ messages in thread
From: Jan Engelhardt @ 2006-01-03 7:08 UTC (permalink / raw)
To: Krzysztof Oledzki; +Cc: Pieter De Wit, netfilter-devel
>> How would you properly match FTP-DATA connections? I have tried the
>> following and after checking the man pages, this should work ?!?
>>
>> iptables -A INPUT -p tcp -m tcp --dport=21 # For FTP-CTRL
>> iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
>> iptables -A INPUT -m state --state RELATED -j ACCEPT
You could also use -m layer7 ;-)
http://l7-filter.sf.net/
Jan Engelhardt
--
| Alphagate Systems, http://alphagate.hopto.org/
| jengelh's site, http://jengelh.hopto.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-01-03 7:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-12-06 14:48 Proper detection of FTP-DATA Pieter De Wit
2005-12-06 15:09 ` Krzysztof Oledzki
2006-01-03 7:08 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.