<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
please, load nf_conntrack_ftp module (modprobe nf_conntrack_ftp)<br>
your original iptables rules looks good<br>
ip_conntrack is compiled into kernel already<br>
jkk<br>
--<br>
W dniu 2010-03-27 13:04, Edward. S. P. Leong napisał/ła:
<blockquote cite="mid:4BADF445.8030405@ita.org.mo" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
Hello,<br>
<br>
[root@host1 ~]# lsmod|grep ftp<br>
[root@host1 ~]#<br>
<br>
Output is nothing <br>
<br>
And:<br>
<br>
[root@host1 ~]# iptables -A INPUT -i eth1 -m nf_conntrack_ftp -p tcp
--dport 21 -d 192.168.1.254 -j ACCEPT<br>
iptables v1.4.3.1: Couldn't load match
`nf_conntrack_ftp':/lib/xtables/libipt_nf_conntrack_ftp.so: cannot open
shared object file: No such file or directory<br>
<br>
Try `iptables -h' or 'iptables --help' for more information.<br>
[root@host1 ~]#<br>
<br>
No of the modules can't be loaded...<br>
<br>
Any other help ?<br>
<br>
Thanks !<br>
<br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:jkk@csk.umed.lodz.pl">jkk@csk.umed.lodz.pl</a> wrote:
<blockquote
cite="mid1a3cadd5d58f6373bd94bc3762177785.squirrel@csk.umed.lodz.pl"
type="cite">
<pre wrap="">What is output from command:
lsmod|grep ftp
module nf_conntrack_ftp is a must for passive mode
Dnia 27 Marca 2010, 09:42, So, Edward. S. P. Leong napisa�(a):
</pre>
<blockquote type="cite">
<pre wrap="">ftp client ( passive mode ) :
227 Entering Passive Mode (192,168,1,254,226,220).
connecting to 192.168.1.254:58076
- -
connecting to 192.168.1.254:58076
! Connection failed 192.168.1.254 - connection timed out
! connect: error 0
PORT 192,168,1,101,17,247
200 PORT command successful
LIST
150 Opening ASCII mode data connection for file list
Received 61 bytes in 0.1 secs, (6100.00 bps), transfer succeeded
226 Transfer complete
-------- Original Message --------
Subject:         Firewall ( iptables ) enabled for ftp ( active mode & passive
mode ) problem
Date:         Sat, 27 Mar 2010 16:39:01 +0800
From:         Edward. S. P. Leong <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E" href="mailto:edwardspl@ita.org.mo"><edwardspl@ita.org.mo></a>
To:         <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:fedora-list@redhat.com">fedora-list@redhat.com</a> <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="mailto:fedora-list@redhat.com"><fedora-list@redhat.com></a>,
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:proftp-user@lists.sourceforge.net">proftp-user@lists.sourceforge.net</a>
Dear All,
Mine is FC11 OS...
So, how can we enable the firewall ( iptables ) for using ftp ( active
mode & passive mode ) service ?
For the existing setting :
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
int="eth1"
int_add="192.168.1.254"
int_src="192.168.1.0/24"
# Only allow users to use port 22 ( ssh services ) :
iptables -A INPUT -i $int -p tcp --dport 22 -s $int_src -d $int_add -j
ACCEPT
# Only allow users to use port 20 & 21 ( ftp services ) :
iptables -A INPUT -i $int -p tcp --dport 20 -s $int_src -d $int_add -j
ACCEPT
iptables -A INPUT -i $int -p tcp --dport 21 -s $int_src -d $int_add -j
ACCEPT
# ping ( ICMP )
iptables -A INPUT -i $int -p icmp --icmp-type echo-request -s $int_src
-d $int_add -j ACCEPT
Problem of ftp client :
connection timenout
Thanks !
Edward.
--
users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:users@lists.fedoraproject.org">users@lists.fedoraproject.org</a>
To unsubscribe or change subscription options:
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://admin.fedoraproject.org/mailman/listinfo/users">https://admin.fedoraproject.org/mailman/listinfo/users</a>
Guidelines: <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://fedoraproject.org/wiki/Mailing_list_guidelines">http://fedoraproject.org/wiki/Mailing_list_guidelines</a>
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
*****************************************************
* jan k.kaminski, nucl.med.dept, med.univ. of lodz *
* pgpkey <a class="moz-txt-link-freetext" href="http://w4u.am.lodz.pl/~jkk/">http://w4u.am.lodz.pl/~jkk/</a> *
***** BC02 E8F1 7FAE 1138 9182 F56D BC5A 4059 ******
fluctuat nec mergitur</pre>
</body>
</html>