Jonas Meurer a écrit :
What do the "-d **.**.***.**/31" address ranges represent ?
the ftp servers listen on both ips. so both are server addresses.
do you think that i should change the "-d ..." at -A OUTPUT to "-s ..."?
Obviously yes. I just wonder how these rules could accept the control
connection, as they did not accept the return packets from the server.
[...]
i would like to support both active and passive mode.
To allow active mode you'll have to perform two actions :
1) Look into your FTP server configuration for an option named "passive
mode local port range" or the like. You must define a port range that is
not likely to be used by other local processes (so for example don't
overlap /proc/sys/net/ipv4/ip_local_port_range). The number of ports in
the interval must be bigger enough than the expected maximum number of
simultaneous data connections from FTP clients.
2) Set iptables rules in INPUT and OUTPUT which allow incoming TCP
connections to the port range you defined in the previous step.
[...]
user@home~$ lftp user@xxxxxxxxxxxx:9621
lftp user@xxxxxxxxxxxx:/> debug
lftp user@xxxxxxxxxxxx:/> set ftp:passive-mode on
lftp user@xxxxxxxxxxxx:/> ls
---> PASV
<--- 227 Entering Passive Mode (62,75,128,98,180,236)
---- Connecting data socket to (62.75.128.98) port 46316
`ls' at 0 [Making data connection...]
I guess your ruleset does not allow incoming TCP connections to the port
46316, so the data connection fails. Don't bother to allow this port, as
it is dynamic and a different one is chosen by the server for each
passive data connection.
lftp user@xxxxxxxxxxxx:/> set ftp:passive-mode off
lftp user@xxxxxxxxxxxx:/> ls
[...]
---> PORT 192,168,3,34,197,115
<--- 200 PORT command successful.
---> LIST
<--- 150 Opening ASCII mode data connection for file list
<--- 426 Connection closed; transfer aborted
---- Closing data socket
That's probably the effect of the -d option in the second OUTPUT rule.
The server tries to open a data connection to the TCP port 50547 of
192.168.3.34, but this destination address doesn't match the -d option.
Try to change -d to -s. Check also that there is no packet filter on the
client which may block FTP data connections.