On Tue, 2 Apr 2013, Reindl Harald wrote: > > > Am 02.04.2013 02:04, schrieb Max Pyziur: >>> [root@srv-rhsoft:~]$ cat /etc/sysconfig/iptables-config >>> # Load additional iptables modules (nat helpers) >>> # Default: -none- >>> # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which >>> # are loaded after the firewall rules are applied. Options for the helpers are >>> # stored in /etc/modprobe.conf. >>> IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp" >> >> So, are you saying this last line is key? > > it is on my fedora machines acting as FTP behind a NAT > >> Because on the CentOS 5 setup I see: >> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp" >> >> While on the CentOS 6 setup I see: >> IPTABLES_MODULES="" >> >> What is the correct/recommended setting? > > there is no "correct/recommended setting" > > if you are behind a NAT you need a different config as if you are > have a public IP on your machine, that is why configs exists Not behind a NAT ... > with passive FTP the server anserwers with port AND ip-address > for the data-connection (which is a idiotic design but it is how > it is) and if the client follows this response it fails > > so the way to go is translate the response in whatever > stateful filter in fornt of the FTP server > > this is called ALG (application layer gateway) and part > of any relieable stateful packet filter Adding the following line to /etc/sysconfig/iptables-config "got me home:" IPTABLES_MODULES="ip_conntrack_ftp" Along with the above dialogue, the following page helped (me): http://www.linuxquestions.org/questions/linux-networking-3/iptables-configuration-for-passive-ftp-connection-633774/ Thanks. Max Pyziur pyz@xxxxxxxxx _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos