Hello, 'Jonas Meurer' a écrit :
in other words, this module is unusable for ftpservers on non-standard ports, if it's compiled into the kernel?
Well, I guess you can edit the default port list in the kernel source before compiling.
how can i open the ports for those ftp-servers without using ip_conntrack_ftp?
There is a workaround, which requires that the FTP server software be "cooperative". For instance, it must be able to set a range of local ports to use for data transfer connections in passive mode.
what i'm currently doing is: iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \ -m multiport -p tcp --dports 9621,9721 \ -d **.**.***.**/31 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \ -m multiport -p tcp --sports 9621,9721 \ -d **.**.***.**/31 -j ACCEPT iptables -A OUTPUT -o eth0 -m state --state NEW \ -m multiport -p tcp --sports 9620,9720 \ -d **.**.***.**/31 -j ACCEPT
What do the "-d **.**.***.**/31" address ranges represent ?
but obviously this doesn't work. i still cannot connect to the ftpservers on port 9621 and 9721. what am i missing?
The first two rules may allow to establish an incoming control connection, although the RELATED state is not needed. But the third rule is not sufficient to allow the server to establish an outgoing data connection in active mode. You need to add the ESTABLISHED state to allow outgoing packets once the connection is established. You also need to create another rule in the INPUT chain as its counterpart for the return traffic, in the ESTABLISHED state.
