Hello,
Sorry, my English is not so good!
I have write my Firewall with Iptables.I can connect an FTP Server but not
make a ls or dir.
linux:~ # ftp ftp.suse.com
Connected to ftp.suse.com (217.9.113.66).
220 "Welcome to the SuSE ftp server: Please login as user 'ftp'"
Name (ftp.suse.com:root): ftp
331 Please send your email address as a password.
Password:
230-+----------------------------------------------------------------+
230-| Welcome to the SuSE Linux FTP archives in Nürnberg Germany |
230-+----------------------------------------------------------------+
230-+------------------------------+ +------------------------------+
230-| SuSE Inc. | | SuSE GmbH |
230-| 318 Harrison St. | | Deutschherrnstr. 15-19 |
230-| Oakland, CA 94607 | | 90429 Nuernberg |
230-| USA | | Germany |
230-+------------------------------+ +------------------------------+
230-| Tel: +1-510-628-3380 | | Tel: +49-911-740530 |
230-| FAX: +1-510-628-3381 | | FAX: +49-911-7417755 |
230-+------------------------------+ +------------------------------+
230-| http://www.suse.com/ | | http://www.suse.de/ |
230-+------------------------------+ +------------------------------+
230-Please make sure to read pub/INDEX before sending mail to
230-ftpadmin@suse.com
230-
230-User limit: 600 - consider using a mirror-site:
230-http://www.suse.de/en/support/download/ftp/int_mirrors.html (Int.)
230-http://www.suse.de/en/support/download/ftp/germ_mirrors.html (DE)
230-
230-Users from Europe (in particular German universities):
230-ftp://ftp.gwdg.de/pub/linux/suse/
230-ftp://ftp.leo.org/pub/comp/os/unix/linux/suse/suse/
230-ftp://ftp.uni-kl.de/pub/linux/suse/
230-
230-If you are experiencing any problems with this server, please email
230-ftpadmin@suse.com.
230-
230 Login successful. Have a lot of fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
--------------------------------------------------
--------------------------------------------------
-----snip------
#My Firewall config for FTP
# FTP OUT Control-Connection
iptables -A OUTPUT -p TCP --sport $p_high --dport ftp -j ACCEPT
iptables -A INPUT -p TCP --dport $p_high --sport ftp ! --syn -j
ACCEPT
# FTP OUT Passive Data-Connection
iptables -A OUTPUT -p TCP --sport $p_high --dport $p_high -j ACCEPT
iptables -A INPUT -p TCP --dport $p_high --sport $p_high ! --syn -j
ACCEPT
# MASQUERADING
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INT -o $EXT -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j
ACCEPT
iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport
$p_high --dport ftp -j ACCEPT
iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport
$p_high --dport $p_high -j ACCEPT
-----snap-----
----------------------------------------------------------------------
----------------------------------------------------------------------
tcpdump -i ippp0
19:59:13.290242 217.4.250.8.filenet-tms > 213.95.15.193.domain: 2909 A?
ftp.suse.com. (30) (DF)
19:59:13.345807 213.95.15.193.domain > 217.4.250.8.filenet-tms: 2909* 1/2/2
A 217.9.113.66 (132) [tos 0x10]
19:59:13.347190 217.4.250.8.35608 > 217.9.113.66.ftp: S
926670463:926670463(0) win 5840