Re: iptables not so stateful
Eric Gaumer wrote:
On Fri, 2004-08-13 at 09:20, Clement wrote:
And I cannot do ftp. All the data mode traffic of FTP are blocked.
Apparently the ESTABLISHED,RELATED specification is not followed. The
module ipt_state is there and executing the above does not show any
error message. I have tried "modprobe ipt_state" before the above to no
success. Any idea?
You have to use passive FTP for connection tracking to work. If you use
active then the connection tracking module wont be able to follow the
connection.
My firewall is a Powermac running Woody plus shorewall.
summer@Dolphin:~$ ftp ftp.wa.au.debian.org
Connected to ftp.wa.au.debian.org.
220 ProFTPD 1.2.9 Server (Informed Technology FTP Server)
[poledra.it.net.au]
<snip exceess commentary>
230-
230 Anonymous access granted, restrictions apply.
bin
200 Type set to I
prompt
Interactive mode off.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pas
Passive mode on.
ftp> pas
Passive mode off.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
lrwxrwxrwx 1 ftpadm staff 20 Dec 24 2003 debian ->
mirrors/linux/debian
lrwxrwxrwx 1 ftpadm staff 27 Dec 24 2003 debian-non-US ->
mirrors/linux/debian-non-US
lrwxrwxrwx 1 ftpadm staff 24 Dec 24 2003 debian-www ->
mirrors/linux/debian-www
drwx------ 2 root system 16384 Dec 24 2003 lost+found
-rw-r--r-- 1 ftpadm staff 56004951 Aug 14 02:12 ls-lR
-rw-r--r-- 1 ftpadm staff 7040958 Aug 14 02:12 ls-lR.gz
-rw-r--r-- 1 ftpadm staff 467421 Aug 14 02:14 ls-lR.patch.gz
-rw-r--r-- 1 ftpadm staff 22 Aug 14 02:14 ls-lR.times
drwxr-xr-x 12 ftpadm staff 4096 May 24 05:00 mirrors
drwxr-xr-x 3 ftpadm staff 4096 Feb 27 05:47 pub
-rw-r--r-- 1 ftpadm staff 16 May 5 2003 timezone
drwxr-xr-x 4 root system 4096 Jul 20 08:04 tmp
-rw-r--r-- 1 root system 717 Dec 25 2003 welcome.msg
226 Transfer complete.
ftp>
As you can see, I do not need to use passive ftp. I've always thought
that's what connection tracking's for.
Here are my shorewall rules:
fw:/etc/shorewall# grep -v ^# rules
ACCEPT coco2 loc all
ACCEPT loc coco2 all
ACCEPT coco2 $FW all
ACCEPT $FW coco2 all
ACCEPT $FW net udp 5000,5001
ACCEPT loc net udp 5000,5001
ACCEPT $FW net:203.34.16.107 4
ACCEPT net:203.34.16.107 $FW 4
ACCEPT loc $FW tcp ssh,www,443,smtp,110
ACCEPT net $FW tcp ssh,www,443,smtp
ACCEPT $FW net tcp ssh
ACCEPT loc net tcp 110
ACCEPT loc $FW tcp 110
ACCEPT $FW net tcp www,ftp,smtp,time,110
ACCEPT $FW loc tcp smtp
ACCEPT $FW net udp ntp
ACCEPT $FW loc tcp 37
ACCEPT $FW loc udp syslog
--
Cheers
John
-- spambait
1aaaaaaa@computerdatasafe.com.au Z1aaaaaaa@computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
Reply to: