[ale] FTP/firewall issue

Stephen Pellicer spellicer at 8thlayer.net
Tue Jul 3 13:02:41 EDT 2001


  Bob Kruger wrote:

 >I am still trying to work out a few issues with IPTables and my firewall
 >daemon.
 >
 >Server name:  dbserver
 >Subnet:  192.168.2.0/24
 >FTP daemon software:  ProFTPD
 >Local Class C Network 192.168.2.0/24
 >Interface on dbserver for Local Class c Network:  eth0
 >
 >I do not want to restrict the subnet to using passive mode FTP.  
<ftp://FTP.%C2%A0> Ports
 >20 and 21 are opened up for all of my subnet on dbserver:
 >
iptables can usually handle this statefully. Have you tried using the
state directives?

iptables -A INPUT -d 192.168.2.0/24 -m state --state RELATED -j ACCEPT
iptables -A INPUT --proto tcp --destination-port 21 -s 192.168.2.0/24 -m
state --state NEW -j ACCEPT

You might want to double check my syntax. But that should allow the back
connections to your machines when ip_conntrack sees connections related
to the ftp transactions. This should be a little more restrictive than
opening broad ranges of ports.

Stephen



--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list