2

Basic traffic statistics with iptables are easy. One creates a rule with no target, e.g.

iptables -I INPUT -p tcp --dport 80

Then, e.g. after uploading some data via http, one can read the counters with

iptables -L INPUT -n -v

Is it possible to track incoming and outgoing FTP traffic by means of such iptables rules?

I tried the usual rules to allow FTP traffic, to be used with the ip_conntrack_ftp kernel module:

iptables -I INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 21

But apparently, iptables here only counts control connections.

xebeche
  • 363
  • 3
  • 13

1 Answers1

0

You can only track if the client is using active mode, where the server will connect to client's port 20 tcp to deliver data.

If the client uses passive mode, which most do, the server sends PASV command to the client telling it the IP and port to connect to on the server. Because the port is random, you won't be able to distinguish the traffic and get statistics.

Another way is to use a module like OpenDPI with OpenDPI-netfilter or L7-Filter to inspect layer7 traffic and decode PORT/PASV commands.

Or, if you control the ftp server, you could configure the data ports to a limited range and track those then.

FoamyBeer
  • 371
  • 1
  • 5