Re: FTP with iptables
On 08/27/2002 09:35:52 AM muffinman666 wrote:
>> We set up a firewall with iptables and the following settings (as given
by
>> "iptables -L"):
>>
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy DROP)
>> target prot opt source destination
>> ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
>> ACCEPT tcp -- anywhere anywhere tcp dpt:http
>> ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
>> ACCEPT tcp -- anywhere anywhere tcp
dpt:https
>> ACCEPT all -- anywhere anywhere state
>> RELATED,ESTABLISHED
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> So, we setup a FTP-Server on a suse mashine to test the ftp connection.
We use
>> the proftpd and
>> the connection is fine. But with other FTP-Servers over the world (for
example
>> ftp.kernel.org)
>> it is not possible to do any file transfers. No listing is shown, it
seems to
>> be a file transfer
>> over the data channel, too.
>>
>> What can we do to solve this problem?
FTP is a "fun" protocol because it uses two ports. Port 20 for data and
port 21 for control.
I don't see an IPtables allowing "ftp-data" which is on port 20, I only see
one.
In addition to that, you may also want to try your client in "passive
mode". That is totally ftp client specific.
Note that you're only blocking ftp-data via the "FORWARD".
If you were blocking the ftp-data via the "INPUT" then you wouldn't be able
to get to the proftpd running on the firewall.
That explains your interesting result.
As regards using suse, then why post to debian-firewall? Because all the
smart people use Debian? :)
Reply to: