[nSLUG] iptables and ftp
mspencer at tallships.ca
Mon Apr 14 03:38:43 ADT 2008
How do I tell iptables to ACCEPT data connections from ftp remote
hosts to which I've established a command session?
It makes logical sense that "RELATED" would work. I have:
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
but ftp sessions that work fine at the command level still fail at the
data transfer point unless I insert an explicit ACCEPT for the
particular ftp server host. That's an okay workaround in some cases
but not in others.
It doesn't make sense that I should just leave port 20 open,
i.e. ACCEPT packets indiscriminately from any host, anytime on that
port, even if I think nothing is listening there. Or am I wrong
So what am I missing about RELATED? The manpage explicitly mentions ftp
as a reason for using RELATED.
(This failure only occurs with command line ftp sessions, not with
ftp://host.dom/path URLs in my browser. I don't understand that,
Michael Spencer Nova Scotia, Canada .~.
mspencer at tallships.ca /( )\
More information about the nSLUG