Mailinglist Archive: opensuse (2575 mails)
| < Previous | Next > |
[opensuse] Manual Netfilter (IPTables) using ip_conntrack_ftp and ip_nat_ftp
- From: "LLLActive@xxxxxxx" <LLLActive@xxxxxxx>
- Date: Tue, 10 Feb 2009 14:37:31 +0100
- Message-id: <4991831B.8040909@xxxxxxx>
Hi all,
Config: NO SUSEfirewall2 in use. IPTables are in a script and loaded with "bash
rules.sh"
I got active FTP going (Ports 20 & 21), but as soon as I logged in on
an external FTP server and want to list the directory, I have no
response. I have gathered that the problem is with the passice FTP mode
it switches to. How do I cater for passive FTP with an IPTABLES command.
The active command in a rules.sh script is:
~~~~~~~ START (part of rules.sh script) ~~~~~~~~~~
#### variables #####
# net all
NET_ALL='0.0.0.0/0'
# external interface
IF_EXT='eth0'
IP_EXT='10.9.8.1'
NET_EXT='10.9.8.0/24'
BCAST_EXT='10.9.8.255'
# internal interface
IF_INT='eth1'
IP_INT='10.8.0.1'
NET_INT='10.8.0.0/24'
BCAST_INT='10.8.0.255'
......
# ports
p_high='1024:65535'
plist_ftp='20 21'
......
# FTP
for p_ftp in $plist_ftp; do
# use these rules for every port in $plist_ftp
iptables -A FORWARD -i $IF_INT -o $IF_EXT -p TCP -s $NET_INT -d
$NET_ALL --sport $p_high --dport $p_ftp -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A FORWARD -i $IF_EXT -o $IF_INT -p TCP -s $NET_ALL -d
$NET_INT --sport $p_ftp --dport $p_high -m state --state ESTABLISHED -j ACCEPT
done
~~~~~~ END ~~~~~~
I have seen references to loading the kernel modules ip_conntrack_ftp and
ip_nat_ftp. Because I do not use SUSEfirewall2, the modules ip_conntrack_ftp
and ip_nat_ftp does not load it seems. I do not find any trace of them because
a with 'modprobe -v ip_conntrack_ftp' or a 'modprobe -v ip_nat_ftp' I get no
response or verbose output.
With "/sbin/insmod ip_conntrack_ftp" I get:
insmod: can't read 'ip_conntrack_ftp': No such file or directory
I have done YaST searches on all available repos, rpm searches and oggoled; to
no avail. Where do I get these modules for OpenSUSE 10.3?
TIA
Al
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
Config: NO SUSEfirewall2 in use. IPTables are in a script and loaded with "bash
rules.sh"
I got active FTP going (Ports 20 & 21), but as soon as I logged in on
an external FTP server and want to list the directory, I have no
response. I have gathered that the problem is with the passice FTP mode
it switches to. How do I cater for passive FTP with an IPTABLES command.
The active command in a rules.sh script is:
~~~~~~~ START (part of rules.sh script) ~~~~~~~~~~
#### variables #####
# net all
NET_ALL='0.0.0.0/0'
# external interface
IF_EXT='eth0'
IP_EXT='10.9.8.1'
NET_EXT='10.9.8.0/24'
BCAST_EXT='10.9.8.255'
# internal interface
IF_INT='eth1'
IP_INT='10.8.0.1'
NET_INT='10.8.0.0/24'
BCAST_INT='10.8.0.255'
......
# ports
p_high='1024:65535'
plist_ftp='20 21'
......
# FTP
for p_ftp in $plist_ftp; do
# use these rules for every port in $plist_ftp
iptables -A FORWARD -i $IF_INT -o $IF_EXT -p TCP -s $NET_INT -d
$NET_ALL --sport $p_high --dport $p_ftp -m state --state NEW,ESTABLISHED -j
ACCEPT
iptables -A FORWARD -i $IF_EXT -o $IF_INT -p TCP -s $NET_ALL -d
$NET_INT --sport $p_ftp --dport $p_high -m state --state ESTABLISHED -j ACCEPT
done
~~~~~~ END ~~~~~~
I have seen references to loading the kernel modules ip_conntrack_ftp and
ip_nat_ftp. Because I do not use SUSEfirewall2, the modules ip_conntrack_ftp
and ip_nat_ftp does not load it seems. I do not find any trace of them because
a with 'modprobe -v ip_conntrack_ftp' or a 'modprobe -v ip_nat_ftp' I get no
response or verbose output.
With "/sbin/insmod ip_conntrack_ftp" I get:
insmod: can't read 'ip_conntrack_ftp': No such file or directory
I have done YaST searches on all available repos, rpm searches and oggoled; to
no avail. Where do I get these modules for OpenSUSE 10.3?
TIA
Al
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |