Re: ip_conntrack_ftp

To: Solymos Péter <giraff@pingu.wigner.bme.hu>
Cc: debian-firewall@lists.debian.org
Subject: Re: ip_conntrack_ftp
From: José A. Guzmán <jose@iteso.mx>
Date: Fri, 18 Apr 2003 12:18:32 -0500
Message-id: <[🔎] 1050686312.3ea0336837845@correo.iteso.mx>
In-reply-to: <[🔎] 00bc01c3059b$fc9cf380$1fe44298@giraff>
References: <[🔎] 00bc01c3059b$fc9cf380$1fe44298@giraff>

With IP Tables, the input and output chains apply to the traffic of the box itself.

 If this box is a router, you should include the established state rules (and
any other traffic you want to control/shape) in the FORWARD chain, so it affects
the hosts or networks the router is forwarding packets to and from.

 

Mensaje citado por Solymos Péter <giraff@pingu.wigner.bme.hu>:

> Greetings,
> 
> I have some interesting problems with connection tracking. I have opened
> the
> ftp ports to all IP-s listed in the userIP chain like this:
> 
> Chain INPUT
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> userIP     tcp  --  anywhere             anywhere           tcp
> dpts:ftp-data:ftp
> 
> Chain userIP
> ACCEPT     all  --  193.xxx.xxx.xxx       anywhere
> ACCEPT     all  --  146.xxx.xxx.xxx       anywhere
> ACCEPT     all  --  195.xxx.xxx.xxx       anywhere
> etc.
> 
> Problem is:
> It works with all IP-s except for 2, both of them are proxies. For the one
> it was enough to accept any traffic from that IP with a line like this:
> 
> iptables -I INPUT -s <that IP> -j ACCEPT
> 
> Of course that is not the proper solution, I'll have to figure out the prob
> and fix it some other time, but it works at least.
> The other IP doesn't work at all, ftp stops at the PORT command. Log entry:
> 
> Apr 18 12:46:57 pingu kernel: IN=eth0 OUT=
> MAC=00:40:f6:4c:11:8c:aa:00:04:00:01:04:08:00 SRC=195.xxx.xxx.xxx
> DST=152.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123
>  ID=11796 DF PROTO=TCP SPT=3100 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
> Apr 18 12:47:00 pingu wu-ftpd[6941]: FTP LOGIN FROM blablabla.hu
> [195.xxx.xxx.xxx], lujo
> Apr 18 12:47:27 pingu wu-ftpd[6941]: refused PORT 192.168.3.13,3102 from
> blablabla.hu [195.xxx.xxx.xxx]
> Apr 18 12:51:33 pingu wu-ftpd[6941]: refused PORT 192.168.3.13,3122 from
> blablabla.hu [195.xxx.xxx.xxx]
> etc.
> 
> I tried to accept any traffic from that IP, didn't work out. Disabling the
> firewall did anyway, so there must be some rule missing to fix this, or is
> iptables that buggy? I can't imagine why conntrack_ftp isn't able to handle
> that PORT command from that particular IP. Any ideas?
> 
> Thx in advance
> giraff
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 


José

-------------

"We will kill them all........most of them."



---

Reply to:

References:
- ip_conntrack_ftp
  - From: Solymos Péter <giraff@pingu.wigner.bme.hu>

Prev by Date: ip_conntrack_ftp
Next by Date: Re: pptp client behind firewall
Previous by thread: ip_conntrack_ftp
Next by thread: Wireless Security
Index(es):
- Date
- Thread