On Tue, 2 Apr 2013, Reindl Harald wrote:
>
>
> Am 02.04.2013 02:04, schrieb Max Pyziur:
>>> [root@srv-rhsoft:~]$ cat /etc/sysconfig/iptables-config
>>> # Load additional iptables modules (nat helpers)
>>> # Default: -none-
>>> # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
>>> # are loaded after the firewall rules are applied. Options for the helpers are
>>> # stored in /etc/modprobe.conf.
>>> IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp"
>>
>> So, are you saying this last line is key?
>
> it is on my fedora machines acting as FTP behind a NAT
>
>> Because on the CentOS 5 setup I see:
>> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
>>
>> While on the CentOS 6 setup I see:
>> IPTABLES_MODULES=""
>>
>> What is the correct/recommended setting?
>
> there is no "correct/recommended setting"
>
> if you are behind a NAT you need a different config as if you are
> have a public IP on your machine, that is why configs exists
Not behind a NAT ...
> with passive FTP the server anserwers with port AND ip-address
> for the data-connection (which is a idiotic design but it is how
> it is) and if the client follows this response it fails
>
> so the way to go is translate the response in whatever
> stateful filter in fornt of the FTP server
>
> this is called ALG (application layer gateway) and part
> of any relieable stateful packet filter
Adding the following line to /etc/sysconfig/iptables-config "got me home:"
IPTABLES_MODULES="ip_conntrack_ftp"
Along with the above dialogue, the following page helped (me):
http://www.linuxquestions.org/questions/linux-networking-3/iptables-configuration-for-passive-ftp-connection-633774/
Thanks.
Max Pyziur
pyz@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
