June 16, 2005
iptables (netfilter) and passive mode FTP
I'm running iptables/netfilter on one of my RHEL servers and just recently decided to add FTP access. I'm using the stock rules that come with RHEL with a few custom rules where necessary. By default it does perform stateful inspection taking advantage of the ip_conntrack module. The following rules exist in the table:-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
With connection tracking you'd think that's sufficient. When the PASV command is sent netfilter should keep track of the relevant information and allow the subsequent passive FTP session... but it doesn't. Apparently you need to make sure that the ip_conntrack_ftp module is loaded as well. You can load it for testing using "/sbin/modprobe ip_conntrack_ftp", but to have iptables load it automatically just add the following to /etc/sysconfig/iptables-config:
IPTABLES_MODULES="ip_conntrack_ftp"
Posted 5 years, 1 month ago on June 16, 2005
The trackback url for this post is http://www.colynx.com/~bsneddon/blog/bblog/trackback.php/10/
The trackback url for this post is http://www.colynx.com/~bsneddon/blog/bblog/trackback.php/10/
Re: iptables (netfilter) and passive mode FTP
Iptalbes with the recent module really helps too to block out unwanted bruteforce attacks like port 22 and stuff. I use it a lot to disable an anonymous ftp site I run and ssh on that box.
Posted 2 weeks, 3 days ago by Andy • • • Reply
Comment Trackback URL : http://www.colynx.com/~bsneddon/blog/bblog/trackback.php/10/11/
Posted 2 weeks, 3 days ago by Andy • • • Reply
Comment Trackback URL : http://www.colynx.com/~bsneddon/blog/bblog/trackback.php/10/11/
Comments have now been turned off for this post