raptor wrote:> As read here : > http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html > > modprobe ip_conntrack_ftp > would give me the ability to use active ftp if I have (pseudo/simplified code) > > iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -j DROP > > but I cant use active ftp, WHAT IS WRONG.. eth0 is the internal interface.. >If you are NATing use ip_nat_ftp aswell. Not sure that that firewall rule is OK - but then I don''t know what else you have. My firewall is a direct copy and paste from one of rustys guides - ppp0 is my external interface - ## Create chain which blocks new connections, except if coming from inside. iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP ## Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j block iptables -A FORWARD -j block Andy. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
As read here : http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html modprobe ip_conntrack_ftp would give me the ability to use active ftp if I have (pseudo/simplified code) iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -j DROP but I cant use active ftp, WHAT IS WRONG.. eth0 is the internal interface.. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
yep my config is very similar i.e. : iptables -N block iptables -A block -i $ifInt0 -j ACCEPT iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -j DROP iptables -A INPUT -i $ifWan0 -j services iptables -A FORWARD -i $ifWan0 -j services iptables -A INPUT -j block iptables -A FORWARD -j block I added also this (do I really need it in my config I''m allowing everything from inside anyway):> iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPTafter ESTABLISHED,RELATED but still can do active FTP "services" is for giving access to wellknown services... I''m not using NAT On Mon, 10 May 2004 21:37:27 +0100 Andy Furniss <andy.furniss@dsl.pipex.com> wrote:> raptor wrote: > > As read here : > > http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html > > > > modprobe ip_conntrack_ftp > > would give me the ability to use active ftp if I have (pseudo/simplified code) > > > > iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -j DROP > > > > but I cant use active ftp, WHAT IS WRONG.. eth0 is the internal interface.. > > > > If you are NATing use ip_nat_ftp aswell. > > Not sure that that firewall rule is OK - but then I don''t know what else > you have. > > My firewall is a direct copy and paste from one of rustys guides - ppp0 > is my external interface - > > ## Create chain which blocks new connections, except if coming from inside. > > iptables -N block > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT > iptables -A block -j DROP > > ## Jump to that chain from INPUT and FORWARD chains. > iptables -A INPUT -j block > iptables -A FORWARD -j block > > Andy. > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
raptor wrote:> yep my config is very similar i.e. : > > iptables -N block > iptables -A block -i $ifInt0 -j ACCEPT > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT > iptables -A block -j DROP > > > iptables -A INPUT -i $ifWan0 -j services > iptables -A FORWARD -i $ifWan0 -j services > iptables -A INPUT -j block > iptables -A FORWARD -j block > > I added also this (do I really need it in my config I''m allowing everything from inside anyway): > >>iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPT > > > after ESTABLISHED,RELATED but still can do active FTP > > "services" is for giving access to wellknown services... > I''m not using NATI am not sure what''s wrong. Are you running an FTP server or just trying to access one on the internet from behind the firewall ? Andy. <snip> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
tryng to access ftp servers from inside...> raptor wrote: > > yep my config is very similar i.e. : > > > > iptables -N block > > iptables -A block -i $ifInt0 -j ACCEPT > > iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A block -j DROP > > > > > > iptables -A INPUT -i $ifWan0 -j services > > iptables -A FORWARD -i $ifWan0 -j services > > iptables -A INPUT -j block > > iptables -A FORWARD -j block > > > > I added also this (do I really need it in my config I''m allowing everything from inside anyway): > > > >>iptables -A block -m state --state NEW -i ! $ifWan0 -j ACCEPT > > > > > > after ESTABLISHED,RELATED but still can do active FTP > > > > "services" is for giving access to wellknown services... > > I''m not using NAT > > I am not sure what''s wrong. > > Are you running an FTP server or just trying to access one on the > internet from behind the firewall ? >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
raptor wrote:> tryng to access ftp servers from inside...Well I am not sure - I would be double checking all scripts for typos/brainos. You haven''t posted evrything you use - and even if you did I am no netfilter/firewalling expert. The netfilter list is probably a better place for this sort of issue. Andy. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/