Re: how to set ports for ip_conntrack_ftp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jonas Meurer a écrit :



i would like to support both active and passive mode.


To allow active mode you'll have to perform two actions :

[...]

I meant "passive", of course.


this is a big problem, as the ftp-server does not seem to support any
other configuration than ip and port to listen on. it's the internal
zope ftp-server (Medusa Async V1.23 [experimental]).
Well, so I'm afraid that you have to forget about passive mode, unless you allow incoming connections to the whole port range defined in /proc/sys/net/ipv4/ip_local_port_range. I guess it is not what you want. 


now i used the following rules:
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED \
  -m multiport -p tcp --dports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED \
  -m multiport -p tcp --sports 9621,9721 -s 62.75.128.98/31 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED \
  -m multiport -p tcp --dports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED \
  -m multiport -p tcp --sports 9620,9720 -s 62.75.128.98/31 -j ACCEPT

unfortunately i still get the same result, both with passive and active
ftp.
i understand why passive ftp doesn't work, the ports are simply not open
for the passive connection. but why does active ftp still not work? i
tried from different servers without firewall and without a nat router,
so the client cannot be the problem at all.

do you have any further suggestions?
Run a packet sniffer on the server, start a local FTP session in active mode, watch the traffic and check that the data connection uses port 9620/9621 as expected.
Run a packet sniffer on both the client and the server and watch the FTP session.
If acceptable, try to allow by address any traffic between your client and the server.
I noticed that your client had a private IP address 192.168.x.x. Is there a NAT device between the client and the server ? If yes, is this NAT device aware that you do FTP on non standard ports ?
What is the delay between the two following lines during a LIST attempt in active mode : 


<--- 150 Opening ASCII mode data connection for file list
<--- 426 Connection closed; transfer aborted


No delay ?
Some delay ?
Hang until you abort ?
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux