Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    iptables, ctstate RELATED not working


    Hellow, fallow
    i trying to configure my Kali iptables for active and passive FTP
    this is my script:

    Code:
    #!/bin/bash
    
    iz=eth0
    ip=`hostname -I`
    
    #delete and drop rules
    iptables -F
    iptables -P INPUT DROP
    iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    
    #accept loobpack
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    #ports
    tcp_in=21
    tcp_out=20,21,22,80,443
    udp_out=53
    
    #allow to start NEW connection
    iptables -A OUTPUT -o $iz -p tcp -m multiport --dport $tcp_out -m conntrack --ctstate NEW -j ACCEPT
    iptables -A OUTPUT -o $iz -p udp -m multiport --dport $udp_out -m conntrack --ctstate NEW -j ACCEPT
    
    #respons to established connection
    iptables -A INPUT -i $iz -p tcp -j ACCEPT -m conntrack --ctstate ESTABLISHED
    iptables -A OUTPUT -o $iz -p tcp -j ACCEPT -m conntrack --ctstate ESTABLISHED
    iptables -A INPUT -i $iz -p udp -j ACCEPT -m conntrack --ctstate ESTABLISHED
    
    #allow income trafic for serwers FTP
    iptables -A INPUT -i $iz -p tcp -m multiport --dport $tcp_in -j ACCEPT -m conntrack --ctstate NEW
    
    #allow active ftp
    iptables -A OUTPUT -o $iz -p tcp -s $ip --sport 20 -m conntrack --ctstate RELATED -j ACCEPT
    
    #allow passive ftp
    iptables -A INPUT -i $iz -p tcp -s 0/0 --sport 1024:65535 -d $ip --dport 1024:65535 -j ACCEPT -m state --state RELATED
    Unfortunately it's not working.
    if i change RELATED state to NEW it would work.
    Can somebody explain why RELETED is not working ?
    I don't wanna change for NEW state because it's mean every INPUT connection from 1024:65535 would be allowed or i am wrong ???

  2. #2
    Linux Guru Segfault's Avatar
    Join Date
    Jun 2008
    Location
    Acadiana
    Posts
    2,185
    -->
    Does your kernel have NF_CONNTRACK_FTP enabled?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •