[Gllug] ftp / iptables

Paul Brazier pbrazier at cosmos-uk.co.uk
Mon Oct 29 10:51:05 UTC 2001


> He's asking whether or not the server is doing a reverse 
> lookup on the client 
> (i.e., if 192.168.10.231 is the client machine trying to 
> reach the ftp 
> server, perhaps the server is trying to get the name of 
> 192.168.10.231).

I'm getting confused with my servers and my clients. :)
But the server also has the client's details in its /etc/hosts so I
would have thought it would use this.
My server /etc/resolv.conf is set to look at hosts first, then use the
caching DNS that it runs.
I'm testing this isolated from the internet with just two machines that
know each others IPs and names.
But I suppose when I do put it on a real server it will need to do
"real" DNS lookups so I should allow INPUT on port 53 (but only for
established connections?).

Actually that's something else I was wondering - on a standalone
web/ftp/ssh server do I need to run a local DNS or can I just use one
that's out there like Demon's ones or something?

> Sounds to me like you might be nuking DNS queries, and 
> possibly ftp active 
> mode too. Get rid of the DROP policy and put a DROP catch 
> rule on the input 
> chain. Make it log, and see what you're killing.

That's just a rule at the end of the INPUT chain that DROPs everything
and logs it?

Shouldn't this line deal with the ftp active mode?
$IPTABLES -A INPUT -i eth0 -p tcp --sport 1024: --dport 1024: -m state
--state ESTABLISHED,RELATED -j ACCEPT

> Cheers,
> 					Alex.
> 
> -- 
> Gllug mailing list  -  Gllug at linux.co.uk
> http://list.ftech.net/mailman/listinfo/gllug
> 


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the originator.

This footnote also confirms that this email message has been checked
for the presence of computer viruses.

**********************************************************************


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list