ftp issue cont.

varun_saa at vsnl.net varun_saa at vsnl.net
Mon Aug 15 08:14:38 CEST 2005

Thanks a lot Derick, 
                  I learnt a few details. 
" -A FORWARD -p tcp -d your.ftp.ip.address --dport 1024: -j ACCEPT " 
Did not seem to work. 
I have a few more details for you. 
WAN -----> eth0 - FC4 server - eth1 -----------> clients ( 24 ) 
FC4 server is only for sharing internet , mails, etc for clients system. 
I do not run any ftp server on ny FC4 server. 
My ftp server is on windows 2000 advanced server run by our 
friend in US. 
>From my FC4 server I am able to connect to " ftp.sriaurobindoashram.com " 
with " passive files transfer " - unchecked in gftp. 
Using " passive files transfer " - checked in gftp it connects and stops at 
recieving files names. 
So I guess Win2k server does not support passive mode. And we 
need to concentrate on non-passive mode. 
Now on the client systems with " passive files transfer " - unchecked in gftp. 
I get the following error : 
Looking up ftp.sriaurobindoashram.com 
Trying www.sriaurobindoashram.com:21 
Connected to ftp.sriaurobindoashram.com:21 
220 ns1 Microsoft FTP Service (Version 5.0). 
USER xxxxxxxx 
331 Password required for xxxxxxxx. 
PASS xxxx 
230 User xxxxxxxx logged in. 
215 Windows_NT version 5.0 
200 Type set to I. 
257 "/xxxxxxxxx" is current directory. 
Loading directory listing /xxxxxxxx from server (LC_TIME=en_US) 
PORT 192,168,0,253,4,3 
500 Invalid PORT Command. 
Invalid response '5' received from server. 
Disconnecting from site ftp.sriaurobindoashram.com 
So what that suggest ? 
----- Original Message ----- 
From: Derick Anderson <danderson at vikus.com> 
Date: Friday, August 12, 2005 11:14 pm 
Subject: RE: ftp issue cont. 
> FTP passive mode creates an entirely new connection for data transfer. 
> It is not 'related' to the original connection and so iptables doesn't 
> pick it up as such (nor do any other stateful firewalls that I'm aware 
> of). The connection works something like this: 
> 1. Client connects to FTP server on port 21 and requests PASV mode. 
> 2. Server replies with the port that client should use (e.g., 50100). 
> 3. Client makes NEW connection on the passive port (50100). 
> 4. Server transfers information using the new connection. 
> This is why (I think...) stateful firewalls don't pick up passive 
> connections: they are initiated by the client, not the server. 
> You know you have to open port 21 and 20 (for non-passive connections) 
> inbound to your FTP server. I didn't see that in your rules either but 
> since you can log in to the server, etc. I can only assume it  
> works. You 
> will have to check your FTP server's documentation on which ports it 
> uses in PASV (passive) mode. These ports are always above 1023  
> (1024:).I will give you an example: 
> Suppose your FTP server uses ports 50100 to 50200 for passive 
> connections. You will need to add an iptables rule such as 
> $IPT -A FORWARD -p tcp -d your.ftp.ip.address --dport 50100:50200 -j 
> into your firewall ruleset, assuming your FTP server is not on the 
> firewall and you've taken care of DNATing. If you want to be lazy you 
> can always do this: 
> $IPT -A FORWARD -p tcp -d your.ftp.ip.address --dport 1024: -j ACCEPT 
> The above rule should work right away, provided the rest of your 
> firewall is in order. For anything else I suggest reviewing the HOW- 
> TOson www.netfilter.org. A google search will probably provide you  
> with the 
> specific ports for your FTP server, and any server worth the download 
> will let you change what those ports are. 
> Hope that helps. 
> Derick 
> -----Original Message----- 
> From: netfilter-bounces at lists.netfilter.org 
> [netfilter-bounces at lists.netfilter.org] On Behalf Of 
> varun_saa at vsnl.net 
> Sent: Friday, August 12, 2005 12:52 PM 
> To: netfilter at lists.netfilter.org 
> Subject: ftp issue cont. 
> Make sure you've opened up whichever unprivileged passive ports  
> your FTP 
> server uses. Passive FTP connections are seen as new by stateful 
> firewalls, not related to the original control connection.  
> Derick Anderson   
> Thanks Derick,  
>              But I am not very clear about ftp.  
> So I will appreciate details.  
> Thanks  
> Varun  

More information about the netfilter mailing list