Re: Iptables and FTP problem
Mahdi Rahimi a écrit :
my Rules for passive FTP look like this and works without problem but i
want to my LAN works in active ftp.
###control connection
$IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport 21
-m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $EXT --sport 21 -d $LAN --dport 1024:65535
-m state --state RELATED,ESTABLISHED -j ACCEPT
RELATED is not needed for the control connections.
###data connection
$IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT --dport
1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $EXT --sport 1024:65535 -d $LAN --dport
1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
This is getting confusing. In your previous messages, $LAN and $EXT were
used in -i and -o options, meaning they contain interface names. Now
they are used in -s and -d options, meaning they contain addresses or
network address prefixes. So what are $LAN and $EXT ?
Assuming that $LAN and $EXT contain network prefixes (respectively
192.168.1.0/26 and 0.0.0.0/0 according to you previous messages), you
need to add the following rules in order to allow transfers in active mode :
$IPTABLES -A FORWARD -p tcp -s $EXT --sport 20 -d $LAN \
--dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -p tcp -s $LAN --sport 1024:65535 -d $EXT \
--dport 20 -m state --state ESTABLISHED -j ACCEPT
However I recommend filtering at least on the input interface and not
only on the source address, because the source address can be forged.
Reply to: