Re: iptables rule to block FTP-NAT-Helper-Traffic
- From: Pascal Hambourg <boite-a-spam@xxxxxxxxxxxxxxx>
- Date: Wed, 26 Nov 2008 19:18:11 +0100
Kevin Kempfer a écrit :
Pascal Hambourg schrieb:
iptables -A FORWARD -i external_interface -m state --state RELATED \
-m helper ftp -j DROP
In order to be effective, this rule must be placed before the general "-m state ESTABLISHED,RELATED -j ACCEPT" rule.
Isn't this to be done on the router?
Yes.
As I don't have access to the router, I would like to secure my own machine against this attack.
Oh, I didn't understand that. Well, you can use this kind of rule in the INPUT chain of your local machine too, before the general state rule.
What I need is a rule which is running locally on my computer. Is there still a helper match?
This depends on your setup. "iptables -m helper -h" will tell if the match is supported by the installed iptables, and "grep MATCH_HELPER /boot/config-$(uname -r)" will tell if it is supported by the running kernel. The FTP conntrack helper module ip_contrack_ftp or nf_conntrack_ftp must be loaded. Actually, if the FTP conntrack helper module is not loaded on your local machine and the firewall drops incoming NEW connections, your machine is not at risk. Of course this means you cannot use FTP active mode either.
.
- References:
- iptables rule to block FTP-NAT-Helper-Traffic
- From: Kevin Kempfer
- Re: iptables rule to block FTP-NAT-Helper-Traffic
- From: Pascal Hambourg
- Re: iptables rule to block FTP-NAT-Helper-Traffic
- From: Kevin Kempfer
- iptables rule to block FTP-NAT-Helper-Traffic
- Prev by Date: VPN requirements
- Next by Date: Re: FIN_WAIT2 not working
- Previous by thread: Re: iptables rule to block FTP-NAT-Helper-Traffic
- Next by thread: Re: iptables rule to block FTP-NAT-Helper-Traffic
- Index(es):
Relevant Pages
|
