Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
IPTABLES Rule for Passive FTP
  • From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
  • Date: Tue, 29 Jul 2003 14:57:06 +0200
  • Message-id: <84ECB0B9D002A54EA3E926AAA94E58080190D8@xxxxxxxxxxxxxx>
Hi all,

I need to create a rule with IPTABLES which only allows passive FTP. The
following lines accomplishes this:

set IPTABLES = "/usr/sbin/iptables"
# Control Connection
$IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport
1024:65535 --dport ftp -j ACCEPT
# Data Connection
$IPTABLES -A FORWARD -o eth1 -m state --state NEW -p TCP --sport
1024:65535 --dport 1024:65535 -j ACCEPT

There are more rules than only the lines above, but they are
intentionally left out.

My problem is, that this open the firewall from internal with source
port >= 1024 and destination port >= 1024 which typicalliy is used only
by passive ftp data connection. This behaviour is by recommendation not

Is there a way to accomplish that data connection only be allowed when
FTP control connection has taken place before hand?

Knut Erik

< Previous Next >