[LARTC] ip_conntrack_ftp
Andy Furniss
andy.furniss@dsl.pipex.com
Mon, 10 May 2004 21:37:27 +0100
raptor wrote:
> As read here :
> http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
>
> modprobe ip_conntrack_ftp
> would give me the ability to use active ftp if I have (pseudo/simplified code)
>
> iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -j DROP
>
> but I cant use active ftp, WHAT IS WRONG.. eth0 is the internal interface..
>
If you are NATing use ip_nat_ftp aswell.
Not sure that that firewall rule is OK - but then I don't know what else
you have.
My firewall is a direct copy and paste from one of rustys guides - ppp0
is my external interface -
## Create chain which blocks new connections, except if coming from inside.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block
Andy.