Iptables – With PureFTPd, Passive mode doesn’t work if I don’t accept new connections in iptables

ftpiptables

I configured Pure-FTPd-MySQL + IPTables but I have a problem with Passive mode (who doesn't?)

I forced this port range:

echo "1024 65535" > /etc/pure-ftpd/conf/PassivePortRange

In Iptables, a few rules handle FTP limitations. And I've got a problem with one of these:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

I want to disallow the NEW connections but if I do so, passive mode doesn't work anymore. Any idea why? I don't see any reason for this.

Best Answer

ip_conntrack and ip_conntrack_ftp were missing. I added them to /etc/modules and voila.

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Iptables allow http incoming connections, state NEW, ESTABLISHED

The former rule employs connection tracking, the latter does not. The connection tracking entries are needed for the reply packets to get through. When the connection tracking system allows a packet in that establishes a connection or logical association, an automatic, temporary reflexive rule is created to allow the reply packets out.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Iptables allow http incoming connections, state NEW, ESTABLISHED

Related Topic