On Tue, 2 Apr 2013, Reindl Harald wrote:
Am 02.04.2013 02:04, schrieb Max Pyziur:
[root@srv-rhsoft:~]$ cat /etc/sysconfig/iptables-config # Load additional iptables modules (nat helpers) # Default: -none- # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp"
So, are you saying this last line is key?
it is on my fedora machines acting as FTP behind a NAT
Because on the CentOS 5 setup I see: IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
While on the CentOS 6 setup I see: IPTABLES_MODULES=""
What is the correct/recommended setting?
there is no "correct/recommended setting"
if you are behind a NAT you need a different config as if you are have a public IP on your machine, that is why configs exists
Not behind a NAT ...
with passive FTP the server anserwers with port AND ip-address for the data-connection (which is a idiotic design but it is how it is) and if the client follows this response it fails
so the way to go is translate the response in whatever stateful filter in fornt of the FTP server
this is called ALG (application layer gateway) and part of any relieable stateful packet filter
Adding the following line to /etc/sysconfig/iptables-config "got me home:" IPTABLES_MODULES="ip_conntrack_ftp"
Along with the above dialogue, the following page helped (me): http://www.linuxquestions.org/questions/linux-networking-3/iptables-configur...
Thanks.
Max Pyziur pyz@brama.com
On Mon, Apr 1, 2013 at 8:30 PM, Max Pyziur pyz@brama.com wrote:
On Tue, 2 Apr 2013, Reindl Harald wrote:
Am 02.04.2013 02:04, schrieb Max Pyziur:
[root@srv-rhsoft:~]$ cat /etc/sysconfig/iptables-config # Load additional iptables modules (nat helpers) # Default: -none- # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'),
which
# are loaded after the firewall rules are applied. Options for the
helpers are
# stored in /etc/modprobe.conf. IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp"
So, are you saying this last line is key?
it is on my fedora machines acting as FTP behind a NAT
Because on the CentOS 5 setup I see: IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
While on the CentOS 6 setup I see: IPTABLES_MODULES=""
What is the correct/recommended setting?
there is no "correct/recommended setting"
if you are behind a NAT you need a different config as if you are have a public IP on your machine, that is why configs exists
Not behind a NAT ...
with passive FTP the server anserwers with port AND ip-address for the data-connection (which is a idiotic design but it is how it is) and if the client follows this response it fails
so the way to go is translate the response in whatever stateful filter in fornt of the FTP server
this is called ALG (application layer gateway) and part of any relieable stateful packet filter
Adding the following line to /etc/sysconfig/iptables-config "got me home:" IPTABLES_MODULES="ip_conntrack_ftp"
Great.
Kindly do not change the subject of your messages. It screws up thread grouping in many mail clients and confuses people. Plus if we keep things together someone having the same problem in the future might be able to find the solution without asking the same question again. Thanks. :)
Along with the above dialogue, the following page helped (me):
http://www.linuxquestions.org/questions/linux-networking-3/iptables-configur...
Thanks.
Max Pyziur pyz@brama.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Max Pyziur -
SilverTip257