LLLActive@GMX.Net wrote:
Hi all,
Hi,
I am learning how to use Netfilter/IPTables.
I got active FTP going (Ports 20 & 21), but as soon as I logged in on an external FTP server and want to list the directory, I have no response. I have gathered that the problem is with the passice FTP mode it switches to. How do I cater for passive FTP with an IPTABLES command. The active command in a filters.sh script is:
~~~~~~~ START (part of script) ~~~~~~~~~~
#### variables #####
# net all NET_ALL='0.0.0.0/0'
# external interface IF_EXT='eth0' IP_EXT='10.9.8.1' NET_EXT='10.9.8.0/24' BCAST_EXT='10.9.8.255'
# internal interface IF_INT='eth1' IP_INT='10.8.0.1' NET_INT='10.8.0.0/24' BCAST_INT='10.8.0.255'
......
# ports p_high='1024:65535' plist_ftp='20 21'
......
# FTP for p_ftp in $plist_ftp; do # use these rules for every port in $plist_ftp iptables -A FORWARD -i $IF_INT -o $IF_EXT -p TCP -s $NET_INT -d $NET_ALL --sport $p_high --dport $p_ftp -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A FORWARD -i $IF_EXT -o $IF_INT -p TCP -s $NET_ALL -d $NET_INT --sport $p_ftp --dport $p_high -m state --state ESTABLISHED -j ACCEPT done
~~~~~~ END ~~~~~~
I'm assuming you have a firewall behind your FTP Server and are using SuSEfirewall2. Try to add "ip_conntrack_ftp" to your FW_LOAD_MODULES option on /etc/sysconfig/SuSEfirewall2. You may also need to add "ip_nat_ftp"... restart your firewall afterwards.
TIA
Rui
Al
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org