[TriLUG] Curious VSFTP issue

Matt McGrievy mcgrievy at email.unc.edu
Thu Dec 8 12:12:14 EST 2005 

I don't claim to be an iptables expert, but I had to deal with this 
issue not too long ago.

You have to tell iptables to let related and established connections 
through.  Joe already mentioned using ip_conntrack_ftp to keep track of 
ftp connections related to existing port 21 sessions, but to reiterate, 
add the following to /etc/sysconfig/iptables-config (in RHEL 3.0):

IPTABLES_MODULES="ip_conntrack_ftp"

...then make sure you have this iptables rule:

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I believe you could tighten things up by adding port 21 as the 
destination above.  When you restart iptables, it should tell you it's 
loading the ip_conntrack_ftp module and let passive ftp through properly.

-Matt

Matt Pusateri wrote:
> On a related note, I am not a IP tables guru :(  What rules do I have
> to add to let passive FTP in.  Do I just have to allow what ever high
> port range I have specifired in my ftp config?
> 
> Matt P.
> 
> On Wed, December 7, 2005 5:32 pm, Dave Sorenson wrote:
> 
>>I'd agree except for the observation it was still not working when I
>>turned off the firewall entirely to make sure it was not a firewall
>>problem.
>>
>>Thanks for the thought though!
>>
>>Dave
>>
>>Joseph Mack NA3T wrote:
>>
>>>On Wed, 7 Dec 2005, Dave Sorenson wrote:
>>>
>>>
>>>>>>>>directory listing. I've tried both passive and active modes
>>>>>>>>with
>>>>>>>>multiple FTP clients, scoured the vsftpd.conf, firewall is open
>>>>>>>>on 20
>>>>>>>>and 21 (I even tried disabling the firewall briefly to make
>>>>>>>>sure
>>>>>>>>that
>>>>>>>>was not the problem) but no luck. anyone ever see this before?
>>>
>>>VSFTP in active mode calls from a high (>1024) port rather than port
>>>20. This is to allow it to run without root privileges. watch it
>>>with
>>>netcat
>>>
>>>
>>>>>>Sounds like passive FTP not getting through the firewall.  Try
>>>>>>doing a
>>>>>>'modprobe
>>>>>>ip_conntrack_ftp' on the server, or seeing if you can force your
>>>>>>client to
>>>>>>use
>>>>>>active mode only.
>>>
>>>iptables "RELATED" knows about the calling port
>>>
>>>Joe
>>>
>>
>>--
>>TriLUG mailing list        :
>>http://www.trilug.org/mailman/listinfo/trilug
>>TriLUG Organizational FAQ  : http://trilug.org/faq/
>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>
> 
> 
>

More information about the TriLUG mailing list