iptables state module & pasv ftp traffic
Martin Robb
MartinRobb at ieee.org
Thu Apr 22 19:56:25 UTC 2004
I am porting an ftp application from a 2.4.x kernel environment to
fedora core 2 test 2. When using iptables rules that worked very well
in 2.4, such as:
/sbin/iptables -A INPUT -p tcp -s 10.1.1.23 -d bastion --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s 10.1.1.23 -d bastion -m state --state
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -s bastion -d 10.1.1.23 -m state --state
ESTABLISHED,RELATED -j ACCEPT
where "bastion" is the local system and 10.1.1.23 the remote client, I
am finding in the FC2 2.6 kernel that traffic is blocked and SYNs from
arbitrary 10.1.1.23 ports to arbitrary bastion ports are being blocked.
If I accept all incoming TCP connections from 10.1.1.23 (ie drop --dport
21 from the first rule) everything works fine.
My suspicion is that the state module is not currectly identifying
RELATED traffic for PASV ftp. Has anyone else noticed similar problems?
Regards,
Martin Robb
More information about the fedora-test-list
mailing list