[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ip_conntrack_ftp

With IP Tables, the input and output chains apply to the traffic of the box itself.

 If this box is a router, you should include the established state rules (and
any other traffic you want to control/shape) in the FORWARD chain, so it affects
the hosts or networks the router is forwarding packets to and from.


Mensaje citado por Solymos Péter <giraff@pingu.wigner.bme.hu>:

> Greetings,
> I have some interesting problems with connection tracking. I have opened
> the
> ftp ports to all IP-s listed in the userIP chain like this:
> Chain INPUT
> ACCEPT     all  --  anywhere             anywhere           state
> userIP     tcp  --  anywhere             anywhere           tcp
> dpts:ftp-data:ftp
> Chain userIP
> ACCEPT     all  --  193.xxx.xxx.xxx       anywhere
> ACCEPT     all  --  146.xxx.xxx.xxx       anywhere
> ACCEPT     all  --  195.xxx.xxx.xxx       anywhere
> etc.
> Problem is:
> It works with all IP-s except for 2, both of them are proxies. For the one
> it was enough to accept any traffic from that IP with a line like this:
> iptables -I INPUT -s <that IP> -j ACCEPT
> Of course that is not the proper solution, I'll have to figure out the prob
> and fix it some other time, but it works at least.
> The other IP doesn't work at all, ftp stops at the PORT command. Log entry:
> Apr 18 12:46:57 pingu kernel: IN=eth0 OUT=
> MAC=00:40:f6:4c:11:8c:aa:00:04:00:01:04:08:00 SRC=195.xxx.xxx.xxx
> DST=152.xxx.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=123
>  ID=11796 DF PROTO=TCP SPT=3100 DPT=21 WINDOW=64240 RES=0x00 SYN URGP=0
> Apr 18 12:47:00 pingu wu-ftpd[6941]: FTP LOGIN FROM blablabla.hu
> [195.xxx.xxx.xxx], lujo
> Apr 18 12:47:27 pingu wu-ftpd[6941]: refused PORT,3102 from
> blablabla.hu [195.xxx.xxx.xxx]
> Apr 18 12:51:33 pingu wu-ftpd[6941]: refused PORT,3122 from
> blablabla.hu [195.xxx.xxx.xxx]
> etc.
> I tried to accept any traffic from that IP, didn't work out. Disabling the
> firewall did anyway, so there must be some rule missing to fix this, or is
> iptables that buggy? I can't imagine why conntrack_ftp isn't able to handle
> that PORT command from that particular IP. Any ideas?
> Thx in advance
> giraff
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org



"We will kill them all........most of them."


Reply to: