ftp issue cont.

Derick Anderson danderson at vikus.com
Fri Aug 12 19:44:00 CEST 2005


FTP passive mode creates an entirely new connection for data transfer.
It is not 'related' to the original connection and so iptables doesn't
pick it up as such (nor do any other stateful firewalls that I'm aware
of). The connection works something like this:

1. Client connects to FTP server on port 21 and requests PASV mode.
2. Server replies with the port that client should use (e.g., 50100).
3. Client makes NEW connection on the passive port (50100).
4. Server transfers information using the new connection.

This is why (I think...) stateful firewalls don't pick up passive
connections: they are initiated by the client, not the server.

You know you have to open port 21 and 20 (for non-passive connections)
inbound to your FTP server. I didn't see that in your rules either but
since you can log in to the server, etc. I can only assume it works. You
will have to check your FTP server's documentation on which ports it
uses in PASV (passive) mode. These ports are always above 1023 (1024:).
I will give you an example:

Suppose your FTP server uses ports 50100 to 50200 for passive
connections. You will need to add an iptables rule such as

$IPT -A FORWARD -p tcp -d your.ftp.ip.address --dport 50100:50200 -j
ACCEPT

into your firewall ruleset, assuming your FTP server is not on the
firewall and you've taken care of DNATing. If you want to be lazy you
can always do this:

$IPT -A FORWARD -p tcp -d your.ftp.ip.address --dport 1024: -j ACCEPT

The above rule should work right away, provided the rest of your
firewall is in order. For anything else I suggest reviewing the HOW-TOs
on www.netfilter.org. A google search will probably provide you with the
specific ports for your FTP server, and any server worth the download
will let you change what those ports are.

Hope that helps.

Derick

-----Original Message-----
From: netfilter-bounces at lists.netfilter.org
[mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of
varun_saa at vsnl.net
Sent: Friday, August 12, 2005 12:52 PM
To: netfilter at lists.netfilter.org
Subject: ftp issue cont.

Make sure you've opened up whichever unprivileged passive ports your FTP
server uses. Passive FTP connections are seen as new by stateful
firewalls, not related to the original control connection. 
 
Derick Anderson  
 
Thanks Derick, 
              But I am not very clear about ftp. 
So I will appreciate details. 
 
Thanks 
 
Varun 





More information about the netfilter mailing list