>> Now it was my understanding that iptables was a connection tracking or
> stateful firewall and that thus FTP masquerading worked quite
> nicely, but
> I'm having problems. From a 'doze client usgin command line
> FTP or IE5 I can
> connect to an FTP server but I can't build up a data connection.
>> The iptables documentation is nearly silent on the matter,
> saying only that
> NATing FTP should work if you have the ip_conntrack_ftp and ip_nat_ftp
> modules loaded, which I do.
>> All assistance greatefully received.
>
The following works for me in RedHat /etc/sysconfig/iptables
In the filter table add the following:
# Allow ftp outbound
-A INPUT -i eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
# Active ftp
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
# Passive ftp
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state
--state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state
--state RELATED,ESTABLISHED -j ACCEPT
The first two deal with port 21, then the following two deal with the
ftp-data port. Next two lines to do passive ftp.
The above is the format understood by iptables-restore
Cheers
jr
PS: Hopefully I've read this one right..
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
