Final solution in reference to thread "IPTABLES rules for active FTP"
Just wanted to reply on some years old thread on https://www.linuxquestions.org/quest...ive-ftp-22127/ which is still up to date.
Would be great if a moderator could add following information to the end of the above thread, because i just saw that it got already closed: The true Linux spirit did it and still does it =) This topic is pretty current, since i also arrived on http://ubuntuforums.org/showthread.php?t=2116042, which is a thread from early 2013. Since nowadays ip_conntrack_ftp is already loaded on most machines, the helper module was the hint i needed: Doing iptables for a while now, but the first time i am hearing about helper modules. Me loves Linux more now :) Just to round the thread up, here are the final rules needed for punching a little hole in our ftp-client machine towards a ftp-server: #ftp on 21: iptables -A OUTPUT -o eth0 -p tcp -s $ownip -d $remoteip --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -d $ownip -s $remoteip -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT #ftp data for 21: iptables -A OUTPUT -o eth0 -p tcp -s $ownip -d $remoteip -m helper --helper ftp-21 -j ACCEPT iptables -A INPUT -i eth0 -d $ownip -s $remoteip -p tcp -m helper --helper ftp-21 -j ACCEPT Whereupon $ownip is a local ipadress at your machine on eth0, and $remoteip is the servers ip address. I explicitly used ftp-21, because that you can modify the helper to also use non standart ftp port. Most important reason to let a thread open: People in 10 years also just want solutions for the same problems. |
All times are GMT -5. The time now is 06:23 PM. |