Put the line: ip_conntrack_ftp ports=2121 In your modules.autoload, when it should work fine for you. //kim > -----Original Message----- > From: Alexandros Papadopoulos [mailto:apapadop@cmu.edu] > Sent: Monday, December 09, 2002 10:46 PM > To: netfilter@lists.netfilter.org > Subject: non-standard FTP ports and connection tracking > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi. I have a small problem with ftp_conntrack module (I guess). > > Scenario: > ====== > I run iptables 1.2.6a and an ftp server (publicfile) on a machine > directly connected to the Internet. Connection tracking works > fine when > the ftp server listens on the standard port (21), but seems to break > when I set the ftp server to listen to a non-standard high port (say, > 2121). > > I set both incoming and outgoing default action to DROP, load the > connection tracking modules in my firewall script: > > /sbin/modprobe ip_conntrack > /sbin/modprobe ip_conntrack_ftp > > and try to allow traffic for my ftp server only. > > What happens: > ========= > > If the ftp server uses port 21 (standard setup), it works fine: > > [] ftpd listening on port 21 > [] client connects -> connection from high port to my 21 is > established [] client requests directory listing -> > connection from my high port to > another high port of the client is established > > Rules: (all defaults are DROP) > ================= > > ## Allow connections to our ftp server > /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT > > ## Allow data for incoming FTP to return back to sender > /sbin/iptables -A OUTPUT -p tcp --sport 21 --dport 1024: -m state > - --state ESTABLISHED,RELATED -j ACCEPT > > ## Allow outgoing FTP (data) + HTTP replies > /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state > - --state ESTABLISHED,RELATED -j ACCEPT > > > The problem: > ======== > > But, when I set the server to listen to port 2121...: > > [] ftpd listens on 2121 > [] client connects -> connection from high port to my 2121 > established [] client requests directory listing -> netfilter > drops packets for the > new (but related) connection that tries to be established, and user > never sees the directory listing. Last packets that gets > through is the > one that carries the "150 Making transfer connection..." message. > > The rules in this case have only the port number changed, but > here they > are in case I'm doing something wrong: > > ## Allow connections to our ftp server > /sbin/iptables -A INPUT -p tcp --dport 2121 -j ACCEPT > > ## Allow outgoing FTP (data) + HTTP replies! > /sbin/iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state > - --state ESTABLISHED,RELATED -j ACCEPT > > ## Allow data for incoming FTP to return back to sender > /sbin/iptables -A OUTPUT -p tcp --sport 2121 --dport 1024: -m state > - --state ESTABLISHED,RELATED -j ACCEPT > > > Any ideas? > > - -A > - -- > http://andrew.cmu.edu/~apapadop/pub_key.asc > 3DAD 8435 DB52 F17B 640F D78C 8260 0CC1 0B75 8265 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > > iD8DBQE99Q8ugmAMwQt1gmURApAKAJwJtYh0HFT9A5IX2xI8hVICwydt8QCeNLti > lE569iwhEPzYdRw4zHnsWAQ= > =TM8O > -----END PGP SIGNATURE----- > > > >
