Chandra.Vempali@xxxxxxxxxxxx schrieb: > Hi all, > > For me, ip_conntrack_ftp does not work for PASSIVE ftp. > > In the firewall rules, I blocked everything and put the following rules, > iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED,NEW -j > ACCEPT > iptables -A OUTPUT -p tcp --dport 21 -m state --state > NEW,ESTABLISHED,RELATED -j ACCEPT > And when I try to ftp, the control channel goes through firwall, but > data channel fails to pass through. So, your firewall connects to the FTP server, why not. First of all make sure that ip_conntrack_ftp is compiled into the kernel or as a module. If compiled as a module, make sure it is loaded. As your firewall connects to the FTP server and your OUTPUT policy seems to be DROP or REJECT, you need rules like these: iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --dport 21 --syn -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Hmm, many people, including myself, think, that filtering in OUTPUT is pointless. More troublesome than usefull. If you decide to set OUTPUT policy to ACCEPT, you don't need the first two rules. Up to you. Have a nice time, Joerg
