[TriLUG] Curious VSFTP issue

Matt Pusateri mpusateri at wickedtrails.com
Thu Dec 8 14:38:49 EST 2005 

Yeah, that did it. For some reason I was thinking I had to explicitly
allow high ports for passive ftp in iptables, but it seems the
ip_conntrack_ftp in conjunction with the RELATED parameter works like
a charm.

Matt P.

On Thu, December 8, 2005 12:12 pm, Matt McGrievy wrote:
>
> I don't claim to be an iptables expert, but I had to deal with this
> issue not too long ago.
>
> You have to tell iptables to let related and established connections
> through.  Joe already mentioned using ip_conntrack_ftp to keep track
> of
> ftp connections related to existing port 21 sessions, but to
> reiterate,
> add the following to /etc/sysconfig/iptables-config (in RHEL 3.0):
>
> IPTABLES_MODULES="ip_conntrack_ftp"
>
> ...then make sure you have this iptables rule:
>
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> I believe you could tighten things up by adding port 21 as the
> destination above.  When you restart iptables, it should tell you it's
> loading the ip_conntrack_ftp module and let passive ftp through
> properly.
>
> -Matt
>
> Matt Pusateri wrote:
>> On a related note, I am not a IP tables guru :(  What rules do I
>> have
>> to add to let passive FTP in.  Do I just have to allow what ever
>> high
>> port range I have specifired in my ftp config?
>>
>> Matt P.
>>
>> On Wed, December 7, 2005 5:32 pm, Dave Sorenson wrote:
>>
>>>I'd agree except for the observation it was still not working when I
>>>turned off the firewall entirely to make sure it was not a firewall
>>>problem.
>>>
>>>Thanks for the thought though!
>>>
>>>Dave
>>>
>>>Joseph Mack NA3T wrote:
>>>
>>>>On Wed, 7 Dec 2005, Dave Sorenson wrote:
>>>>
>>>>
>>>>>>>>>directory listing. I've tried both passive and active modes
>>>>>>>>>with
>>>>>>>>>multiple FTP clients, scoured the vsftpd.conf, firewall is
>>>>>>>>> open
>>>>>>>>>on 20
>>>>>>>>>and 21 (I even tried disabling the firewall briefly to make
>>>>>>>>>sure
>>>>>>>>>that
>>>>>>>>>was not the problem) but no luck. anyone ever see this before?
>>>>
>>>>VSFTP in active mode calls from a high (>1024) port rather than
>>>> port
>>>>20. This is to allow it to run without root privileges. watch it
>>>>with
>>>>netcat
>>>>
>>>>
>>>>>>>Sounds like passive FTP not getting through the firewall.  Try
>>>>>>>doing a
>>>>>>>'modprobe
>>>>>>>ip_conntrack_ftp' on the server, or seeing if you can force your
>>>>>>>client to
>>>>>>>use
>>>>>>>active mode only.
>>>>
>>>>iptables "RELATED" knows about the calling port
>>>>
>>>>Joe
>>>>
>>>
>>>--
>>>TriLUG mailing list        :
>>>http://www.trilug.org/mailman/listinfo/trilug
>>>TriLUG Organizational FAQ  : http://trilug.org/faq/
>>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>
>>
>>
>>
> --
> TriLUG mailing list        :
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>

More information about the TriLUG mailing list