ftp issue cont.

varun_saa at vsnl.net varun_saa at vsnl.net
Mon Aug 15 12:33:29 CEST 2005

Thanks Jorg,  
            How to find out if ftp-module is loaded or  
----- Original Message -----  
From: Jörg Harmuth <harmuth at mnemon.de>  
Date: Monday, August 15, 2005 2:43 pm  
Subject: Re: ftp issue cont.  
> Derick Anderson schrieb:  
> > FTP passive mode creates an entirely new connection for data   
> transfer.> It is not 'related' to the original connection and so   
> iptables doesn't  
> > pick it up as such (nor do any other stateful firewalls that I'm   
> aware> of).   
> No, not really. Iptables regards FTP data traffic as related stuff. To  
> be more exactly, the respective helper module does so  
> (ip_conntrack_ftp.[k]o). So, normally all you have to do, is load this  
> module, allow ESTABLISHED,RELATED traffic in and out and allow FTP in.  
> This looks something like this (assumed that policies are DROP and  
> OUTPUT is ACCEPT and also assumed that the box is directly   
> connected to  
> the internet and that the FTP server is on the firewall box):  
> modprobe ip_conntrack_ftp.[k]o  
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT  
> iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT  
> This will work for active and passive FTP. If the ftp-module isn't on  
> the system in question, varun_saa has to configure the kernel   
> correctlyand recompile as needed.  
> BTW, the original ruleset didn't explain anything. IN|OUTPUT == ACCEPT  
> and in FORWARD no rule concerning FTP. So, what is this guy doing ? If  
> the FTP server is on the firewall box, there is no iptables problem at  
> all (on this box). If not, there are no rules that permit FTP and thus  
> it cannot work. The whole thing looks quite mysterious to me,   
> includingthe -P issue Rob mentioned. May be a tiny ASCII art   
> network picture  
> would clarify the situation :)  
> Have a nice time,  
> Joerg  

More information about the netfilter mailing list