Dear Forum ,

im trying to secure my ftp server with an iptables firewall. After connection establishing I cant open the releated highport data channels whats wron ?
here the related script lines:

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

$IPTAB -P INPUT DROP
$IPTAB -P OUTPUT DROP
$IPTAB -P FORWARD DROP

$IPTAB -A OUTPUT -p TCP -s 0/0 --sport 21 --dport $HIGHP -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTAB -A INPUT -p TCP -s 0/0 --sport $HIGHP --dport 21 -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTAB -A OUTPUT -p TCP -s 0/0 --sport $HIGHP --dport $HIGHP -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTAB -A INPUT -p TCP -s 0/0 --sport $HIGHP --dport $HIGHP -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

I expected the mods to notice the related data ports so they can be accepted here?

Thanks for any ideas. ...

regards,

Filip

can we start with which flavor of iptables, and, what do the logs say?

its the version iptables v1.4.2-rc1
which logs do you mean ?
my ftp client can open the connection but if it tries to get the directory content the passive mode cant geht the connection...
all the policies are on drop so the packets are not logged...

the logs that iptables generates

do you have a wireshark cap from client side while you try and connect??

Two suggestions:
1 - verify that the conntrack module is actually present
2 - start with a simple script, such as allowing high port 1024 in addition to the standard ports 20,21 as in this how to: http://www.cyberciti.biz/faq/iptable...s-not-working/

This will at least help isolate what part of your iptables configuration is causing you trouble.

OK I will verify if the module is present, but for me the rest seems pretty clear:
if i open the 1024: ports , everything works fine, so it seems, that the rule which only lets related,established connections above 1024 causes the trouble. the ftp conntrack module should handle these connections but it seems that it doesnt do it.