On Tue, 20 Jul 2010, Christopher Howard wrote:
> I've been working through an Iptables issue, and I found a solution, but
> it doesn't seem quite right.
>
> My problem was that I couldn't use FTP. More specifically, my Gentoo
> package management system uses passive FTP to pull in some packages.
> (I.e. source code.) I implement a DROP first, ask questions later
> approach on the INPUT chain, and I've been stricter than I have been in
> the past, so it is understandable that I'd need to open some more ports.
<snip>
FTP is alot simpler than that, actually:
modprobe nf_nat_ftp
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
and you're done. And that supports active FTP. The helper module performs
layer 4 payload inspection to read on what port the server is going to be
making the inbound connection to, and allows it. Passive ftp was created
specifically to avoid having to use these kind of helper modules.
If your client was having a problem even with an ESTABLISHED rule in place
I'd question whether your software really was using passive as it claimed.
That'd be a good time to use a sniffer.
Final note: I assume your OUTPUT chain's default policy is ACCEPT. If it's
not, then you'll need some OUTPUT rules to allow connections to tcp dports
20,21.
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Jul 19 20:58:09 2010
This archive was generated by hypermail 2.1.8 : Mon Jul 19 2010 - 20:58:09 AKDT