Proftpd passive connections
I stopped passive connections,they open a too big hole in my firewall 60000:65535 .So to stop it i'm using :
Quote:
Thanks. :tisk: |
I don't think i'm asking the world ... (lots of my posts stay to 0 ... )
Anyway i saw passive connections are important for ftp the problem is on the firewall script for a ftp server behind NAT. On proftpd i have PassivePorts 60000 65534 Quote:
Quote:
Simple isn't ??? |
Your firewall rule doesn't tell iptables what to do with packets that match it. So you'll need to add a "if-the-packet-matches-DO-SOMETHING". This *something*, I'm assuming, is DNATing. So here's how the rule should look like:
Code:
$IPT -t nat -I PREROUTING -i eth0 -d 192.168.0.2 -p tcp --dport 60000:65534 -j DNAT --to-address 192.168.0.6 |
That's how i' m doing and my ftp doesn't work .... STILL!
Quote:
I missed -j DNAT in the post, not in reality but still ... i would avoid passive connections too many ports to open. Would be nice a module allowing ftp related connections and who is not, dropped by iptables default.( ??? ) |
Tried to connect to the link provided, but no go.
Could you provide more details about your setup: 1) There seems to be 2 private network (192.168.0.0 & 192.168.1.0), is this correct? Quote:
3) Did you try this? Code:
... -j DNAT --to-address 192.168.1.6 |
I have configured proftpd PassivePorts 60000:65534 on the router ports 20 ,21 and 60000:65534 are open (???) the linuxbox has default input DROP and all this ports are allowed in PREROUTING and DNATted to the FORWARDS chain where offcourse are all allowed ... proftpd looks easy ...
|
All times are GMT -5. The time now is 11:51 AM. |