iptables ftp配置

FTP协议中被动模式数据传输需要服务器随即开放多个端口,并且每次传输完毕后关闭,主动模式客户端随即开放多个数据端口,所以服务器防火墙配置就没那么容易了。2.4.x和以后版本内核都有一个ip_conntrack_ftp模块用于追踪ftp相关的连接,iptables启用ip_conntrack_ftp模块:
/etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_ftp"

然后添加两个端口就OK了

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT

原文:

One of the main reasons people like passive FTP is that it's easier to get through firewalls with it. However, some users might now know that they need to enable passive FTP, or they may have incapable clients. To get active FTP through firewalls, start by adding these rules:

Allowing established and related connections is generally a good idea:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Inbound connections on port 21 are required:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT

Just to cover our bases, add in a rule to allow established and related traffic leaving port 20 on the client's machine:
iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

Now, you have everything you need to allow the connections, but iptables will need to be able to mark and track these connections to allow them to pass properly. That is done with the ip_conntrack_ftp kernel module. To test things out, run this:

modprobe ip_conntrack_ftp

At this point, you should be able to connect without a problem. However, to keep this module loaded whenever iptables is running, you will need to add it to /etc/sysconfig/iptables-config:

IPTABLES_MODULES="ip_conntrack_ftp"

http://rackerhacker.com/2007/07/01/active-ftp-connections-through-iptables/

发表评论

电子邮件地址不会被公开。

*