Re: can't transfer files via ftp
Hi,
dparker@utica.edu a écrit :
I use debian 3.1(sarge) as a router. I wrote a firewall script
after I run this script all the pcs in my LAN can't transfer files
from ftp server but I do allow ftp ports
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s
$LAN_IP_RANGE -d 0/0 -p tcp --dport 20 -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s
$LAN_IP_RANGE -d 0/0 -p tcp --dport 21 -j ACCEPT
I can connect to ftp server but I can't transfer. Do anyone give
me an advise?
I had this problem on a Slackware box, and it turned out I needed to
load the ip_conntrack_ftp module. That solved the problem.
Not sure if this is the same in Debian, but I hope this helps.
This module is indeed part of the solution regardless of the Linux
distro. Its fellow ip_nat_ftp is also needed if the router does some
NAT/masquerading. But it is not enough : ip_conntrack_ftp will only set
to the RELATED state the first packet of an FTP data connection, then
you need a rule to accept it. Usually this is done by the following
generic rule placed on top of the ruleset that accepts any replies and
related ICMP messages :
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
If you want to tighten things a little more for FTP :
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
-p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -d $LAN_IP_RANGE \
-p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
In any case you do not need the rule that accept outbound TCP
connections to port 20 (active FTP-data connection standard source port
used by the server). First, conntrack will take care of this. Second,
the FTP server may actually use any other source port, especially when
it is behind a NAT device.
Reply to: