jump to navigation

Passive FTP and IPTables 4 September 2006

Posted by Maulvi Bakar in : Linux,Work , trackback

Had to configure an FTP server at work. For reasons best left for discussion in a later undetermined future date, we put the FTP server outside the firewall. Therefore, the machine in question needs to be protected by it own built-in firewall.

IPTables to the rescue.

There’s a snag. The default IP connection tracking doesn’t seem to work properly. IPTables rules below suggest that stateful inspection would do IP connection tracking as well, apparently not-

-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT

Seems that the “ip_conntrack_ftp” needed to be loaded separately in order to enable it.

# /sbin/modprobe/ip_conntrack_ftp

That should do the trick… but to have IPTables load it automatically, edit the file “/etc/sysconfig/iptables-config

Add the following into it –
IPTABLES_MODULES=”ip_conntrack_ftp”

Comments»

no comments yet - be the first?


Challenge *

π