IPCOP config Firewall + FTP passif

Question

Bonjour, 

Malgrès mes différentes recherches sur la toile, je n'arrive pas à configurer mon script Netfilter afin qu'il laisse passer les utilisateurs (du lan vert) qui souhaitent accèder à un serveur ftp (que je n'administre pas) qui est configuré pour se connecter en mode ftp passif. 

voici mon une partie script ainsi qu'un état des modules lancés


modprobe ip_conntrack_ftp  
modprobe ip_nat_ftp 


red=eth2
green=eth0
blue=eth1


#Protocoles
http=80,81,8080
https=443
ftp=20,21
ftps=989
pop=110
imap=143,220
imaps=993
smtp=25,2525
time=123,37,119
pxe=67
snmp=161
epmap=135
isakmp=500
ldap=389,636,3268,3269
dns=53
cifs=445,901
kerberos=88
wins=1512,42



# GREEN -> RED
iptables -A CUSTOMFORWARD -i $green -o $red -j DROP
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $http,$https -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $ftp,$ftps -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p udp -m multiport --dports $ftp,$ftps -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $pop,$imap,$imaps,$smtp -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p tcp -m multiport --dports $time -j ACCEPT
iptables -I CUSTOMFORWARD --protocol tcp --destination-port $ftp -j ACCEPT
iptables -I CUSTOMFORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -I CUSTOMFORWARD -i $green -o $red -p icmp -j ACCEPT

......



Liste des modules lancés 


Module                  Size  Used by    Not tainted
ipt_REDIRECT             696   1  (autoclean)
ipsec_twofish          35332   0  (unused)
ipsec_sha2              7800   0  (unused)
ipsec_sha1             18488   2
ipsec_serpent          11076   0  (unused)
ipsec_md5               4440   0  (unused)
ipsec_cast             15748   0  (unused)
ipsec_blowfish          8420   0  (unused)
ipsec_aes              31624   2
ipsec_3des             17052   0  (unused)
ipsec                 255300   2  [ipsec_twofish ipsec_sha2 ipsec_sha1 ipsec_serpent ipsec_md5 ipsec_cast ipsec_blowfish ipsec_aes ipsec_3des]
ipt_MASQUERADE          1272   1  (autoclean)
ipt_multiport            600  12  (autoclean)
ip_nat_ftp              2448   0  (unused)
ip_conntrack_ftp        3568   1
ipt_mark                 440   2  (autoclean)
ipt_TCPMSS              2168   1  (autoclean)
ipt_state                504  16  (autoclean)
ipt_REJECT              2968   1  (autoclean)
ipt_LOG                 3616   9  (autoclean)
ipt_limit                792   9  (autoclean)
iptable_mangle          2008   1  (autoclean)
iptable_filter          1612   1  (autoclean)
8139too                13128   3
mii                     2112   0  [8139too]
crc32                   2880   0  [8139too]
ip_nat_quake3           1800   0  (unused)
ip_conntrack_quake3     1896   1
ip_nat_proto_gre        1092   0  (unused)
ip_nat_pptp             2148   0  (unused)
ip_conntrack_pptp       2601   1
ip_conntrack_proto_gre    1973   0  [ip_nat_pptp ip_conntrack_pptp]
ip_nat_mms              2672   0  (unused)
ip_conntrack_mms        2832   1
ip_nat_irc              1968   0  (unused)
ip_conntrack_irc        2768   1
ip_nat_h323             2372   0  (unused)
ip_conntrack_h323       2153   1
iptable_nat            15878   8  [ipt_REDIRECT ipt_MASQUERADE ip_nat_ftp ip_nat_quake3 ip_nat_proto_gre ip_nat_pptp ip_nat_mms ip_nat_irc ip_nat_h323]
ip_conntrack           18928   7  [ipt_REDIRECT ipt_MASQUERADE ip_nat_ftp ip_conntrack_ftp ipt_state ip_nat_quake3 ip_conntrack_quake3 ip_nat_pptp ip_conntrack_pptp ip_conntrack_proto_gre ip_nat_mms ip_conntrack_mms ip_nat_irc ip_conntrack_irc ip_nat_h323 ip_conntrack_h323 iptable_nat]
ip_tables              10976  14  [ipt_REDIRECT ipt_MASQUERADE ipt_multiport ipt_mark ipt_TCPMSS ipt_state ipt_REJECT ipt_LOG ipt_limit iptable_mangle iptable_filter iptable_nat]
acm                     5120   0  (unused)
keybdev                 1764   0  (unused)
hid                    19908   0  (unused)
input                   3104   0  [keybdev hid]
sd_mod                 10284   0  (unused)
usb-storage            24624   0  (unused)
scsi_mod               52920   1  [sd_mod usb-storage]
usb-uhci               20528   0  (unused)
usbcore                56236   1  [acm hid usb-storage usb-uhci]
apm                     8644   0

kiki · Answer

C'est un peut du chinois pour moi...

Mais la y a des exemples à comparer :

http://memoire-grise-liberee.fr.eu.org/IpTables/FAQ/ftp_actif/
http://memoire-grise-liberee.fr.eu.org/IpTables/FAQ/ftp_passif/

IPCOP config Firewall + FTP passif

1 réponse

Votre réponse

Discussions similaires

Newsletters