Re: ip_conntrack_ftp
With IP Tables, the input and output chains apply to the traffic of the box itself.
If this box is a router, you should include the established state rules (and
any other traffic you want to control/shape) in the FORWARD chain, so it affects
the hosts or networks the router is forwarding packets to and from.
Mensaje citado por Solymos Péter <giraff@pingu.wigner.bme.hu>:
> Greetings,
>
> I have some interesting problems with connection tracking. I have opened
> the
> ftp ports to all IP-s listed in the userIP chain like this:
>
> Chain INPUT
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> userIP tcp -- anywhere anywhere tcp
> dpts:ftp-data:ftp
>
> Chain userIP
> ACCEPT all -- 193.xxx.xxx.xxx anywhere
> ACCEPT all -- 146.xxx.xxx.xxx anywhere
> ACCEPT all -- 195.xxx.xxx.xxx anywhere
> etc.
>
> Problem is:
> It works with all IP-s except for 2, both of them are proxies. For the one
> it was enough to accept any traffic from that IP with a line like this:
>
> iptables -I INPUT -s <that IP> -j ACCEPT
>
> Of course that is not the proper solution, I'll have to figure out the prob
> and fix it some other time, but it works at least.
> The other IP doesn't work at all, ftp stops at the PORT command. Log entry:
>
> Apr 18 12:46:57 pingu kernel: IN=eth0 OUT=
> MAC=00:40:f6:4c:11:8c:aa:00:04:00:01:04:08:00 SRC=195.xxx.xxx.xxx
> DST=152.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123
> ID=11796 DF PROTO=TCP SPT=3100 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
> Apr 18 12:47:00 pingu wu-ftpd[6941]: FTP LOGIN FROM blablabla.hu
> [195.xxx.xxx.xxx], lujo
> Apr 18 12:47:27 pingu wu-ftpd[6941]: refused PORT 192.168.3.13,3102 from
> blablabla.hu [195.xxx.xxx.xxx]
> Apr 18 12:51:33 pingu wu-ftpd[6941]: refused PORT 192.168.3.13,3122 from
> blablabla.hu [195.xxx.xxx.xxx]
> etc.
>
> I tried to accept any traffic from that IP, didn't work out. Disabling the
> firewall did anyway, so there must be some rule missing to fix this, or is
> iptables that buggy? I can't imagine why conntrack_ftp isn't able to handle
> that PORT command from that particular IP. Any ideas?
>
> Thx in advance
> giraff
>
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
José
-------------
"We will kill them all........most of them."
---
Reply to: