[CentOS] ftp and iptables

Robert Spangler mlists at zoominternet.net
Sat Jan 24 02:42:25 UTC 2009


On Thursday 22 January 2009 17:28, Agile Aspect wrote:

>  Regarding item (2), I would guess I would have to add the following
> entries:
> 
>  Active:
>  ---------
>
>  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20
>  --sport 40000:60000 -j ACCEPT
>  -A OUTPUT -p tcp -m tcp --sport 20 --dport 40000:60000 -j ACCEPT

All FTP connecting begin with port 21.  Port 20 is a DATA connection.  
ip_conntrack_ftp will track connection needing the Data port open.

>  Passive:
>  ----------
>  -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
>  40000:60000 --sport 40000:60000 -j ACCEPT
>  -A OUTPUT -p tcp -m tcp --sport 40000:60000 --dport 40000:60000 -j ACCEPT

Do you have a rule like this:

-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT

If not you should place this in your rules.  This rule eleminates the need to 
continuesly add rules to allow out going connection for allowed incoming 
connection.

If you do then you should not need the OUTPUT rules you listed above.


-- 

Regards
Robert

Linux User #296285
http://counter.li.org


More information about the CentOS mailing list