On 2005-09-01 Stephan Balmer wrote: >> but, once I have loaded contrack ftp modules and I want to permit ftp >> client connections from my private subnet, which is behind eth1, to >> Internet through eth0, I should do: >> >> iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 20:21 -j ACCEPT > > Yes, that should work.
No. He would need either iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 20 -j ACCEPT or iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 21 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 1024: -j ACCEPT The former is for active FTP, the latter for passive FTP. I *strongly* recommend avoiding both and use connection tracking instead. > But as others have pointed out, this is good for passive FTP- > connections only, if your clients want to use active FTP, you need > connection tracking (look for a kernel module ip_conntrack_ftp). Wrong. Port 20/tcp on the server is *only* needed for *active* FTP (and would then have to be a --sport anyway, since the server initiates the data connection). Passive FTP uses TCP ports above 1023 for the data connection, which is initiated by the client. However, with connection tracking enabled, you only need to allow 21/tcp for either active and passive FTP, since the data connection will be RELATED to the already ESTABLISHED control connection. > In most cases, it's far easier and secure to configure your clients to > use pasive mode than to fiddle with conntrack, many clients work > passive by default. Without connection tracking that'll work only if you allowed outbound connections to non-privileged ports. > Active FTP vs. Passive FTP, a Definitive Explanation: > http://slacksite.com/other/ftp.html May I suggest you re-read that page yourself? Regards Ansgar Wiechers -- "Another option [for defragmentation] is to back up your important files, erase the hard disk, then reinstall Mac OS X and your backed up files." --http://docs.info.apple.com/article.html?artnum=25668 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]