Firewall config and ftp server

Rick Stevens ricks at nerd.com
Thu Mar 11 18:16:04 UTC 2010 

On 03/11/2010 08:17 AM, Edward. S. P. Leong wrote:
> Rick Stevens wrote:
>> On 03/09/2010 07:47 PM, NoSpaze wrote:
>>
>>> Am Dienstag, den 09.03.2010, 23:09 +0800 schrieb Edward. S. P. Leong:
>>>
>>>> NoSpaze wrote:
>>>>
>>>>> # modprobe ip_tables
>>>>> FATAL: Module ip_tables not found.
>>>>>
>>> Again: this module does not exist! Maybe ip_nat or nf_nat?
>>>
>>
>> To clarify, several kernels ago the IPV4 iptables was defaulted to being
>> built into the kernel so it doesn't need a modprobe or insmod.  Ditto
>> with the IPV4 conntrack (snippet of the default kernel config file):
>>
>> CONFIG_NF_DEFRAG_IPV4=y<<<---- Built into kernel
>> CONFIG_NF_CONNTRACK_IPV4=y<<<---- Built into kernel
>> # CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
>> CONFIG_IP_NF_QUEUE=m<<<---- Module
>> CONFIG_IP_NF_IPTABLES=y<<<---- Built into kernel
>>
>> So remove those items from your /etc/modprobe.conf file.  It is also not
>> necessary to modprobe things like the NAT module and such...if
>> there are rules in your iptables config that require them, they'll
>> be drug in by iptables itself.  The "modprobe"able modules can be
>> found by doing a
>>
>> 	ls /lib/modules/`uname -r`/kernel/net/ipv4/netfilter
>>
> Hello to you,
>
> Would you mind to tell me how to apply the following iptables module
> into FC11 System ?
>
> ip_nat_ftp
> ip_conntrack_ftp

You should just write the rules you need.  The kernel should be set up
to autoload the modules it needs to support your rules.  If you're in
doubt, use the "-m modulename" option in the rule, e.g.

	... -m nf_nat_ftp -s 10.1.0.0/24 ....

----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-    "Hello. My PID is Inigo Montoya.  You `kill -9'-ed my parent    -
-                     process.  Prepare to vi."                      -
----------------------------------------------------------------------

More information about the users mailing list