[LARTC] ip_conntrack_ftp

[raptor]

yep my config is very similar i.e. :

iptables -N block
iptables -A block -i $ifInt0 -j ACCEPT
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -j DROP


iptables -A INPUT -i $ifWan0 -j services
iptables -A FORWARD -i $ifWan0 -j services
iptables -A INPUT -j block
iptables -A FORWARD -j block

I added also this (do I really need it in my config I'm allowing everything from inside anyway):
> iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPT

after ESTABLISHED,RELATED but still can do active FTP

"services" is for giving access to wellknown services...
I'm not using NAT



On Mon, 10 May 2004 21:37:27 +0100
Andy Furniss <andy.furniss@dsl.pipex.com> wrote:

> raptor wrote:
> > As read here :
> > http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
> > 
> > modprobe ip_conntrack_ftp
> > would give me the ability to use active ftp if I have (pseudo/simplified code)
> > 
> > iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A FORWARD -j DROP
> > 
> > but I cant use active ftp, WHAT IS WRONG..  eth0 is the internal interface..
> > 
> 
> If you are NATing use ip_nat_ftp aswell.
> 
> Not sure that that firewall rule is OK - but then I don't know what else 
> you have.
> 
> My firewall is a direct copy and paste from one of rustys guides - ppp0 
> is my external interface -
> 
> ## Create chain which blocks new connections, except if coming from inside.
> 
> iptables -N block
> iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
> iptables -A block -j DROP
> 
> ## Jump to that chain from INPUT and FORWARD chains.
> iptables -A INPUT -j block
> iptables -A FORWARD -j block
> 
> Andy.
> 
>