Re: iptables, ftp and dnat?

On Fri, Dec 05, 2008 at 03:30:19PM -0700, Robert L. Harris wrote:

[snip]


here is another link
http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/ (again
google).


My strength is in itables not ftp (which is the reason for
googling :) )

Also anything to do with iptables and firewalls you should
probably read
a tutorial on iptables


I've read both of those and understand how the ftp works. I've
spent the last 2 days googling.
Unfortunately it's all working now except how to get the iptables data
connection in passive
mode working. I can log in, etc just fine but when I do a "ls" after
issuing the "passive"
command it times out.

The second example looks good but doesn't handle the DNAT (the ftp
server is running on
another machine behind my firewall.

What I do to track down iptables problems is (if you have access to all
3 machines, client server and firewall). Dump on all 3 machines,
something like

tcpdump -pni <eth?> -s 1500 -w /tmp/trace.dmp host <client ip> and host
<server ip>

client and server ip will vary depending on which machine you are on
(natting).

Also just before the drop statement in you iptables chain, put a line
which logs the packets.

These way you can see what is going on and create some rules to fix it.

But maybe another solution is to use a ftp proxy ? (ftp-proxy) - never
used it ? to get around the active passive port problem




Robert



- --

:wq!
====================================================================
Robert L. Harris | GPG Key ID: E344DA3B
@ x-hkp://pgp.mit.edu
DISCLAIMER:
These are MY OPINIONS With Dreams To Be A King,
ALONE. I speak for First One Should Be A Man
no-one else. - Manowar

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iD8DBQFJOat68+1vMONE2jsRAuFiAJ4tZUiKdn1pVMTVJooRjcpMWsHUgQCfTggd
c08luNBZJjlIvtBgRnoR5+I=
=ZWjq
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx



--
Tsort's Constant:
1.67563, or precisely 1,237.98712567 times the difference between
the distance to the sun and the weight of a small orange.
-- Terry Pratchett, "The Light Fantastic" (slightly modified)

Attachment: signature.asc
Description: Digital signature

Relevant Pages

  • Re: Ftp toegang ww wijzigen
    ... Ik heb op een server Debian + lenny draaien. ... Nu zou ik graag willen weten hoe ik het ww kan wijzigen voor de toegang van FTP. ... Depending on the config of your ftp-server, it's either the UNIX password or if a ftp-server password scheme. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
    (Debian-User)
  • Re: ftp problem to windows 2000 server
    ... The FTP hangs and get nothing returned. ... Then 'service iptables restart' to make the change effective. ... This will monitor the ftp directives sent by your client to the server ... connection initiated by the server to be considered 'related' by ...
    (Fedora)
  • Re: cannot chang directory to www folder in vsftpd
    ... On 25/08/05, David L wrote: ... Any way I can ftp to my home directorys fine. ... Then log into the ftp server anonymously. ... To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list ...
    (Fedora)
  • Re: Question about FTP
    ... Subject: Question about FTP ... Would I need multipule domains? ... > server, PHPbb server, and possibly an IRC server. ... To unsubscribe, ...
    (freebsd-newbies)
  • Re: HS: How to ban some IPs to connect to apache server
    ... on servers from Netherland to Asia) to log into my server. ... You could block the IP address in iptables, ... There's a package in the repository that well scan your Apache logs ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)