ftp issue cont.

Derick Anderson danderson at vikus.com
Mon Aug 15 13:54:54 CEST 2005

It must be our firewall then: I didn't build it myself and I don't know if conntrack_ftp is loaded in the kernel or not - guess I could always modprobe eh? We have a 24/7 production shop so I'm editing it live until I get around to building another firewall myself. I always thought that passive FTP ports had to be opened specifically because the only indication of a new connection is in the data of the packet itself.

Thanks for the clarification,


-----Original Message-----
From: netfilter-bounces at lists.netfilter.org [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Jörg Harmuth
Sent: Monday, August 15, 2005 5:13 AM
To: netfilter at lists.netfilter.org
Subject: Re: ftp issue cont.

Derick Anderson schrieb:
> FTP passive mode creates an entirely new connection for data transfer.
> It is not 'related' to the original connection and so iptables doesn't 
> pick it up as such (nor do any other stateful firewalls that I'm aware 
> of).

No, not really. Iptables regards FTP data traffic as related stuff. To be more exactly, the respective helper module does so (ip_conntrack_ftp.[k]o). So, normally all you have to do, is load this module, allow ESTABLISHED,RELATED traffic in and out and allow FTP in.
This looks something like this (assumed that policies are DROP and OUTPUT is ACCEPT and also assumed that the box is directly connected to the internet and that the FTP server is on the firewall box):

modprobe ip_conntrack_ftp.[k]o

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 21 --syn -j ACCEPT

This will work for active and passive FTP. If the ftp-module isn't on the system in question, varun_saa has to configure the kernel correctly and recompile as needed.

BTW, the original ruleset didn't explain anything. IN|OUTPUT == ACCEPT and in FORWARD no rule concerning FTP. So, what is this guy doing ? If the FTP server is on the firewall box, there is no iptables problem at all (on this box). If not, there are no rules that permit FTP and thus it cannot work. The whole thing looks quite mysterious to me, including the -P issue Rob mentioned. May be a tiny ASCII art network picture would clarify the situation :)

Have a nice time,


More information about the netfilter mailing list