Using stateful firewalls in Linux to implement FTP functions

First of all, we must recognize the concept of Chu, using FTP from the HTTP proxy, or by the socks agent or firewall on the opening of a port forwarding. FTP from the HTTP proxy, is actually using the HTTP agent, like the most commonly used squid, is the Http/https agent, but it can also proxy FTP request. When you open the browser to login to the FTP site, the HTTP agent is used to handle the problem of FTP. Some programs can only be set up as socks or firewall proxies, such as FTP under CUTEFTP,WU-FTP and DOS. The proxy for this class is the standard FTP proxy.

This article assumes that we have a certain understanding of netfilter technology, introduce the use of NetFilter stateful function in the inux2.4 kernel to implement FTP.

System environment:

linux7.2, installed Iptable,squid, has two network card:

eth0:x.x.x.x connect to the Internet,

eth1:192.168.0.1 Connect intranet.

Firewall related rules:

　　##Ismod the firewall modules *加载模块
　　modprobe ip_tables
　　insmod ip_conntrack
　　insmod ip_conntrack_ftp
　　insmod ip_nat_ftp

With regard to stateful functions, the focus is on the latter three modules: The Ip_conntrack module enables the firewall to have connection tracking capabilities. (By entering "cat/proc/net/ip_conntrack" You can view the active network connections that your machine participates in.) After loading this module, basically all stateful return packets can be identified, for example: Telnet,http,qq,mail,ping,dns and so on.

In fact, loading the Ip_conntrack module, FTP has been able to login, and can use such commands as PWD,CD, but when using the LS command to display the contents of the file, it will timeout. The reason is that the package firewall that displays the list of files is unrecognized and will enter the default policy----prohibit, and the Ip_conntrack_ftp module needs to be loaded.

The Ip_conntrack_ftp module enables the firewall to identify certain types of FTP-specific return packages. If all the returned packages are camouflaged on the firewall, the Ip_nat_ftp module needs to be loaded. The Ip_nat_ftp module must be loaded after it has been disguised, or the firewall will not know where to forward the packets that are returned.　　##Define the policy *定义默认规则
　　iptables -P INPUT DROP
　　iptables -P FORWARD DROP
　　iptables -P OUTPUT ACCEPT
　　
　　#MASQUERADE
　　$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

All packets out of the LAN are camouflaged.　　#accept lan use ftp *允许所有局域网用户使用FTP
　　iptables -A FORWARD -s 192.168.0.0/24 -i eth1 -p tcp --dport 20 -j ACCEPT
　　iptables -A FORWARD -s 192.168.0.0/24 -i eth1 -p tcp --dport 21 -j ACCEPT
　　iptables -A FORWARD -s 192.168.0.0/24 -i eth1 -p udp --dport 20 -j ACCEPT
　　iptables -A FORWARD -s 192.168.0.0/24 -i eth1 -p udp --dport 21 -j ACCEPT
　　打开ftp的20,21端口
　　
　　#accept come back packets from INTERNET
　　iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow stateful return packets to be forwarded.

For NetFilter, please check the relevant information.