[ale] FTP/firewall issue
Stephen Pellicer
spellicer at 8thlayer.net
Tue Jul 3 13:02:41 EDT 2001
Bob Kruger wrote:
>I am still trying to work out a few issues with IPTables and my firewall
>daemon.
>
>Server name: dbserver
>Subnet: 192.168.2.0/24
>FTP daemon software: ProFTPD
>Local Class C Network 192.168.2.0/24
>Interface on dbserver for Local Class c Network: eth0
>
>I do not want to restrict the subnet to using passive mode FTP.
<ftp://FTP.%C2%A0> Ports
>20 and 21 are opened up for all of my subnet on dbserver:
>
iptables can usually handle this statefully. Have you tried using the
state directives?
iptables -A INPUT -d 192.168.2.0/24 -m state --state RELATED -j ACCEPT
iptables -A INPUT --proto tcp --destination-port 21 -s 192.168.2.0/24 -m
state --state NEW -j ACCEPT
You might want to double check my syntax. But that should allow the back
connections to your machines when ip_conntrack sees connections related
to the ftp transactions. This should be a little more restrictive than
opening broad ranges of ports.
Stephen
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list