Article title: use stateful firewall to implement FTP functions. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
First of all, we need to understand a concept: whether to use FTP to go out from the http proxy, or enable a port forwarding on the socks proxy or firewall. The FTP sent out from the http proxy actually uses the http proxy program. for example, the most common squid is the http/https proxy, but it can also proxy ftp requests. When you open a browser and log on to the ftp site, you use an http proxy program to handle ftp problems. Some programs can only be set to socks or firewall proxy, such as Cuteftp, wu-ftp and FTP under dos. This type of proxy is the standard FTP proxy.
This article assumes that you have some knowledge about the netfilter technology and describes how to use the netfilter stateful function to implement FTP on the inux2.4 kernel.
System environment:
Linux7.2, with iptable and squid installed, has two Nics:
Eth0: x. x connected to the internet
Eth1: 192.168.0.1 connected to intranet
For stateful functions, the focus is on the last three modules:
The ip_conntrack module enables the firewall to track connections. (Enter "cat/proc/net/ip_conntrack" to view the active network connections that your machine participates in .) After loading this module, basically all stateful return packets can be identified, such as telnet, http, QQ, mail, ping, and dns.
In fact, the ip_conntrack module is loaded, ftp can be logged on, and commands such as pwd and cd can be used. However, when the ls command is used to display the file content, timeout occurs. The reason is that the package firewall that displays the file list cannot be identified, and it will enter the default policy ---- disable. in this case, you need to load the ip_conntrack_ftp module.
The ip_conntrack_ftp module enables the firewall to recognize special FTP return packets.
If the firewall disguise all outgoing return packets, the ip_nat_ftp module needs to be loaded.
The ip_nat_ftp module must load packets after the packets are disguised. Otherwise, the firewall cannot know where to forward the returned packets.
# Define the policy * defines default rules
Iptables-P INPUT DROP
Iptables-P FORWARD DROP
Iptables-P OUTPUT ACCEPT
# MASQUERADE
$ IPTABLES-t nat-a postrouting-s 192.168.0.0/24-o eth0-j MASQUERADE
Disguise of all packets going out of the Lan
# Accept lan use ftp * allows all lan users to use FTP
Iptables-a forward-s 192.168.0.0/24-I eth1-p tcp -- dport 20-j ACCEPT
Iptables-a forward-s 192.168.0.0/24-I eth1-p tcp -- dport 21-j ACCEPT
Iptables-a forward-s 192.168.0.0/24-I eth1-p udp -- dport 20-j ACCEPT
Iptables-a forward-s 192.168.0.0/24-I eth1-p udp -- dport 21-j ACCEPT
Open port 20 and port 21 of ftp
# Accept come back packets from INTERNET
Iptables-a forward-m state -- state ESTABLISHED, RELATED-j ACCEPT
Allow stateful response packet forwarding
For more information about netfilter statuses, see the following excellent article:
Http://www.linuxeden.com/edu/doctext.php? Docid = 1627
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.