RE: Allow active and passive FTP connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



--- Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> On Fri, 18 Jun 2004, Sagara Wijetunga wrote:
> 
> > Today I upgraded the Linux kernel to 2.6.7.
> >
> > Applied following patches of the
> > patch-o-matic-ng-20040302:
> > init_conntrack-optimize NETMAP SAME TTL connlimit
> > fuzzy iprange ipv4options mport raw CLASSIFY
> addrtype
> > childlevel owner-socketlookup
> >
> > Compiled in all netfiter options to the kernel.
> 
> Could you post the output of
> 
> grep IP_NF_ .config
>
cd /usr/src/linux-2.6.7
grep IP_NF_ .config

CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=y
CONFIG_IP_NF_IRC=y
CONFIG_IP_NF_TFTP=y
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=y
CONFIG_IP_NF_NAT_FTP=y
CONFIG_IP_NF_NAT_TFTP=y
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y
CONFIG_IP_NF_TARGET_NOTRACK=y
CONFIG_IP_NF_RAW=y
CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_MATCH_CONNLIMIT=y
CONFIG_IP_NF_MATCH_FUZZY=y
CONFIG_IP_NF_MATCH_IPV4OPTIONS=y
CONFIG_IP_NF_MATCH_MPORT=y
CONFIG_IP_NF_MATCH_ADDRTYPE=y

The iptables-1.2.10 was compiled and installed as
follows:
CC="gcc -D__user= "
export CC

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man KERNEL_DIR=/usr/src/linux-2.6.7
>& iptables-make.log

make BINDIR=/sbin LIBDIR=/lib \
MANDIR=/usr/share/man install
KERNEL_DIR=/usr/src/linux-2.6.7  >&
iptables-install.log

/sbin/ldconfig

> > After the server is booted with the new kernel, I
> > recompiled and reinstalled the iptables.
> >
> > But my problem is still the same. The ?-m state
> > --state ESTABLISHED? works well, but the ?-m state
> > --state RELATED? does not work at all for FTP data
> > connections. What have I missed?
> 
> You should post the complete list of your rules in
> all of the tables.
> 
	/sbin/iptables -P INPUT DROP
	/sbin/iptables -P FORWARD DROP
	/sbin/iptables -P OUTPUT DROP

	/sbin/iptables -A INPUT -m state --state INVALID -j
DROP
	/sbin/iptables -A INPUT -p tcp   --tcp-flags SYN,FIN
SYN,FIN -j DROP
	/sbin/iptables -A INPUT -p tcp   --tcp-flags ALL FIN
-j DROP

	/sbin/iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT

	/sbin/iptables -A INPUT -p tcp  --dport 21
--tcp-flags ACK,PSH,URGP ACK,PSH -j DROP
	/sbin/iptables -A INPUT -p tcp   --tcp-flags FIN,ACK
FIN,ACK -j DROP
	/sbin/iptables -A INPUT -p tcp   --tcp-flags RST,ACK
RST,ACK -j DROP

	/sbin/iptables -A INPUT -p tcp --dport 21  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 22  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 25  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 53  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p udp --dport 53 	 -j ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 80  --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 110 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 143 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 443 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 465 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 993 --syn -j
ACCEPT
	/sbin/iptables -A INPUT -p tcp --dport 995 --syn -j
ACCEPT

	/sbin/iptables -A INPUT -m limit --limit 1/s -j LOG
--log-prefix 'INPUT PKT DROPPED: '

	/sbin/iptables -A OUTPUT -m state --state INVALID -j
DROP
	/sbin/iptables -A OUTPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
	/sbin/iptables -A OUTPUT -p tcp --dport 53  --syn -j
ACCEPT
	/sbin/iptables -A OUTPUT -p udp --dport 53 	  -j
ACCEPT
	/sbin/iptables -A OUTPUT -p tcp --dport 25  --syn -j
ACCEPT

	/sbin/iptables -A OUTPUT -m limit --limit 1/s -j LOG
--log-prefix 'OUTPUT PKT DROPPED: '


Please let me know if you require any further info in
this regard.

Sagara


		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux