Connected to XXX.XXX.XXX.XXX
220 Microsoft FTP Service
User (XXX.XX.XXX.XXX:(none)): user-name
331 Password required for user-name
Password:
230 User user-name logged in.
ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.
A PORT command is again issued, but this time it is from the server to the client. The client connects to the server for data transfer. Since the connection is in the same sense as the original ftp connection, passive ftp is inherently more secure than active ftp, but note that this time we know even less about the port numbers. Now we have a connection between almost arbitrary port numbers.
Enter the ip_conntrack_ftp module once more. Again, this module is able to recognize the PORT command and pick-out the port number. Instead of NEW in the state match for the OUTPUT chain, we can use RELATED. The following rules will suffice:
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
--
No comments:
Post a Comment