-----Original Message----- From: Knut Erik Hauslo [mailto:KNUTH@voelcker.com] Sent: Tuesday, July 29, 2003 2:57 PM

Hi all,

Hi Knut,

I need to create a rule with IPTABLES which only allows passive FTP. The following lines accomplishes this:

set IPTABLES = "/usr/sbin/iptables" # Control Connection $IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport 1024:65535 --dport ftp -j ACCEPT # Data Connection $IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport 1024:65535 --dport 1024:65535 -j ACCEPT

There are more rules than only the lines above, but they are intentionally left out.

No problem, should be enough :)

My problem is, that this open the firewall from internal with source port >= 1024 and destination port >= 1024 which typicalliy is used only by passive ftp data connection. This behaviour is by recommendation not wanted.

Is there a way to accomplish that data connection only be allowed when FTP control connection has taken place before hand?

Yep, my Rules for passive FTP look like this $IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $j --sport 21 -d $i --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $i --sport 1024:65535 -d $j --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -p tcp -s $j --sport 1024:65535 -d $i --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT Where $i is the ftp client and $j the ftp server. For this to work correctly you need to load the ftp conntrack helper module.

Cheers Knut Erik

HTH marc