RE: Problem with passiv FTP

"Daniel Chemko" <dchemko@xxxxxxxxxx> · Wed, 25 Feb 2004 13:31:25 -0800

Run these shell commands at boot, or any time before you want FTP to
work properly
	modprobe ip_conntrack_ftp
	modprobe ip_nat_ftp

For the an FTP server on the firewall itself, use
	# Allow anyone to inbound to the FTP server
	iptables -A INPUT -p tcp --dport 21 -j ACCEPT
	# ALWAYS HAVE THIS RULE & FIRST IN LIST
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

For machines behind your firewall connecting to the internet, use
	# You should tighten up this rule a bit specifying -i
<internal_interface_address> as well as the following
	iptables -A FORWARD -p tcp --dport 21 -j ACCEPT
	# ALWAYS HAVE THIS RULE & FIRST IN LIST
	iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT

For internet clients connecting to an internal server, use
	# This forwards the FTP request to the right internal FTP server
	iptables -t nat -A PREROUTING --destination
<external_ftp_address> -p tcp --dport 21 -j DNAT --to
<internal_ftp_server>
	# Allow traffic to DNAT'd IP address
	iptables -A FORWARD --destination <internal_ftp_server> -p tcp
--dport 21 -j ACCEPT
	# ALWAYS HAVE THIS RULE & FIRST IN LIST
	iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j
ACCEPT

That is all!

PS: Never fck around with OUTPUT unless you're a pro.
FORWARD goes through the firewall INPUT/OUTPUT are just for local
firewall PC connections.

Christian Gmeiner wrote:
> Hi people.
> 
> I got active FTP working, but i also need the passive one.
> 
> Here is my stuff:
> 
>     # Port 21
> 
>     iptables -A INPUT     -p tcp --sport 21 -m state --state
>     ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 -m
> state --state NEW,ESTABLISHED -j ACCEPT 
> 
>     # aktiv - works
>     iptables -A INPUT     -p tcp --sport 20 -m state --state
>     ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport
> 20 -m state --state ESTABLISHED -j ACCEPT 
> 
>     # passiv
>     iptables -A INPUT     -p tcp --sport ${UNPRIVPORTS} --dport
>     ${UNPRIVPORTS}  -m state --state ESTABLISHED -j ACCEPT iptables
> -A OUTPUT -p tcp --sport ${UNPRIVPORTS} --dport ${UNPRIVPORTS}  -m
> state --state ESTABLISHED,RELATED -j ACCEPT  
> 
> I have everything set to drop and i am alowing this protocols and
> ports: 
> 
> # TCP in+out
> #
> #
> TCP_IN_OUT="ssh"
> 
> # TCP out
> #
> # 5190 = ICQ
> #
> TCP_OUT="5190 http https 25 ftp ftp-data pop3 smtp"
> 
> # TCP in
> #
> TCP_IN=""
> 
> # UDP in+out
> #
> UDP_IN_OUT="domain ssh"
> 
> # UDP out
> #
> #
> UDP_OUT="https"
> 
> # UDP in
> #
> UDP_IN=""
> 
> UNPRIVPORTS="1024:65535"
> 
> So.. i must now allow the UNPRIVPORTS, but how i am doing this?
> 
> Thanks, Christian Gmeiner