Passive FTP and IPTables 4 September 2006
Posted by Maulvi Bakar in : Linux,Work , trackbackHad to configure an FTP server at work. For reasons best left for discussion in a later undetermined future date, we put the FTP server outside the firewall. Therefore, the machine in question needs to be protected by it own built-in firewall.
IPTables to the rescue.
There’s a snag. The default IP connection tracking doesn’t seem to work properly. IPTables rules below suggest that stateful inspection would do IP connection tracking as well, apparently not-
-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
Seems that the “ip_conntrack_ftp” needed to be loaded separately in order to enable it.
# /sbin/modprobe/ip_conntrack_ftp
That should do the trick… but to have IPTables load it automatically, edit the file “/etc/sysconfig/iptables-config”
Add the following into it -
IPTABLES_MODULES=”ip_conntrack_ftp”
Comments»
no comments yet - be the first?