Computer Networks, lect 11, p29

CITS3002 Computer Networks

← prev

CITS3002

help3002

CITS3002 schedule

Tracking FTP Connections

FTP transfers show the power of connection tracking. We can easily access a remote FTP service, and its control-channel:

iptables -A OUTPUT -p tcp --dport 21 -m state \
               --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT  -p tcp --sport 21 -m state \
               --state ESTABLISHED -j ACCEPT

But that is not the whole story: we must also permit, seemingly 'random' connections to our FTP client's data-port as well.

Our FTP client sends its temporary port number over the FTP control-channel via a PORT command to the remote FTP server, which then connects from its port 20 to our specified port to send data, such as a file, or the output from a DIR request.

CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p29, 15th May 2024.