Re: how to set ports for ip_conntrack_ftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jonas Meurer a écrit :

What do the "-d **.**.***.**/31" address ranges represent ?

the ftp servers listen on both ips. so both are server addresses.

do you think that i should change the "-d ..." at -A OUTPUT to "-s ..."?

Obviously yes. I just wonder how these rules could accept the control connection, as they did not accept the return packets from the server.

[...]
i would like to support both active and passive mode.

To allow active mode you'll have to perform two actions :

1) Look into your FTP server configuration for an option named "passive mode local port range" or the like. You must define a port range that is not likely to be used by other local processes (so for example don't overlap /proc/sys/net/ipv4/ip_local_port_range). The number of ports in the interval must be bigger enough than the expected maximum number of simultaneous data connections from FTP clients.

2) Set iptables rules in INPUT and OUTPUT which allow incoming TCP connections to the port range you defined in the previous step.

[...]
user@home~$ lftp user@xxxxxxxxxxxx:9621
lftp user@xxxxxxxxxxxx:/> debug

lftp user@xxxxxxxxxxxx:/> set ftp:passive-mode on

lftp user@xxxxxxxxxxxx:/> ls
---> PASV
<--- 227 Entering Passive Mode (62,75,128,98,180,236)
---- Connecting data socket to (62.75.128.98) port 46316
`ls' at 0 [Making data connection...]

I guess your ruleset does not allow incoming TCP connections to the port 46316, so the data connection fails. Don't bother to allow this port, as it is dynamic and a different one is chosen by the server for each passive data connection.

lftp user@xxxxxxxxxxxx:/> set ftp:passive-mode off

lftp user@xxxxxxxxxxxx:/> ls
[...]
---> PORT 192,168,3,34,197,115
<--- 200 PORT command successful.
---> LIST
<--- 150 Opening ASCII mode data connection for file list
<--- 426 Connection closed; transfer aborted
---- Closing data socket

That's probably the effect of the -d option in the second OUTPUT rule. The server tries to open a data connection to the TCP port 50547 of 192.168.3.34, but this destination address doesn't match the -d option. Try to change -d to -s. Check also that there is no packet filter on the client which may block FTP data connections.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux