[nSLUG] iptables and ftp

Mike Spencer mspencer at tallships.ca
Mon Apr 14 03:38:43 ADT 2008


How do I tell iptables to ACCEPT data connections from ftp remote
hosts to which I've established a command session?

It makes logical sense that "RELATED" would work.  I have:

     -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
     -A INPUT  -m state --state ESTABLISHED,RELATED     -j ACCEPT

but ftp sessions that work fine at the command level still fail at the
data transfer point unless I insert an explicit ACCEPT for the
particular ftp server host.  That's an okay workaround in some cases
but not in others.

It doesn't make sense that I should just leave port 20 open,
i.e. ACCEPT packets indiscriminately from any host, anytime on that
port, even if I think  nothing is listening there.  Or am I wrong
about that?

So what am I missing about RELATED?  The manpage explicitly mentions ftp
as a reason for using RELATED.


(This failure only occurs with command line ftp sessions, not with
ftp://host.dom/path URLs in my browser. I don't understand that,
either.)



- Mike

-- 
Michael Spencer                  Nova Scotia, Canada       .~. 
                                                           /V\ 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^




More information about the nSLUG mailing list