Iptables 开放被动模式的FTP服务开放被动模式的FTP服务:
1. 装载ftp追踪时专用的模块,RELATED模块
加载nf_conntrack_ftp模块
[root@node2netfilter]# modprobe nf_conntrack_ftp
查看模块信息:
[root@node2netfilter]# modinfo nf_conntrack_ftp
filename: /lib/modules/2.6.32-696.el6.x86_64/kernel/net/netfilter/nf_conntrack_ftp.ko
alias: nfct-helper-ftp
alias: ip_conntrack_ftp
description: ftp connection tracking helper
author: Rusty Russell<rusty@rustcorp.com.au>
license: GPL
srcversion: C71BEA8280D7366FB6AFF35
depends: nf_conntrack
vermagic: 2.6.32-696.el6.x86_64 SMP mod_unloadmodversions
parm: ports:array of ushort
parm: loose:bool
查看当前系统装载的模块:
[root@node2 netfilter]# lsmod
Module Size Used by
nf_conntrack_ftp 12049 0
xt_multiport 2764 1
nf_conntrack_ipv4 9186 9
nf_defrag_ipv4 1483 1 nf_conntrack_ipv4
iptable_filter 2793 1
ip_tables 17895 1 iptable_filter
xt_limit 2118 0
ipt_REJECT 2383
2. 放行命令连接的请求报文:
命令连接:NEW,ESTABLISHED
数据连接:RELATED,ESTABLISHED
Iptables –AINPUT –d 192.168.0.3 –p tcp –dport 21 –m state –state NEW,ESTABLISHED –j ACCEPT
Iptables –AINPUT –d 192.168.0.3 –p tcp –m state -- state RELATED,ESTABLISHED –j ACCEPT
3. 放行响应报文:
ESTABLISHED
Iptables–A OUTPUT –s 192.168.0.3 –p tcp –m state - -state ESTABLISHED –j ACCEPT
配置:
修改INPUT匹配规则:放行NEW,ESTABLISHED
[root@node2~]# iptables -R INPUT 2 -d 192.168.0.3 -p tcp -m multiport --dports 21,22,80 -mstate --state NEW -j ACCEPT
在INPUT链上添加RELATED
[root@node2~]# iptables -R INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@node2~]# iptables -L -n
Chain INPUT(policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 192.168.0.3 multiport dports 21,22,80 state NEW
Chain OUTPUT(policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
