Re: how to set ports for ip_conntrack_ftp

[Jonas Meurer <jonas@freesources.org>]

On 02/09/2006 Pascal Hambourg wrote:
> >>>>What do the "-d **.**.***.**/31" address ranges represent ?
> >
> >the ftp servers listen on both ips. so both are server addresses.
> >
> >do you think that i should change the "-d ..." at -A OUTPUT to "-s ..."?
> 
> Obviously yes. I just wonder how these rules could accept the control 
> connection, as they did not accept the return packets from the server.

i guess that it was a typo in my previous mail. the rules on the server
used -s for -A OUTPUT  all the time.

> [...]
> >i would like to support both active and passive mode.
> 
> To allow active mode you'll have to perform two actions :
> 
> 1) Look into your FTP server configuration for an option named "passive 
> mode local port range" or the like. You must define a port range that is 
> not likely to be used by other local processes (so for example don't 
> overlap /proc/sys/net/ipv4/ip_local_port_range). The number of ports in 
> the interval must be bigger enough than the expected maximum number of 
> simultaneous data connections from FTP clients.

this is a big problem, as the ftp-server does not seem to support any
other configuration than ip and port to listen on. it's the internal
zope ftp-server (Medusa Async V1.23 [experimental]).

> 2) Set iptables rules in INPUT and OUTPUT which allow incoming TCP 
> connections to the port range you defined in the previous step.
> 
> [...]
> 
> I guess your ruleset does not allow incoming TCP connections to the port 
> 46316, so the data connection fails. Don't bother to allow this port, as 
> it is dynamic and a different one is chosen by the server for each 
> passive data connection.
> 
> [...]
> 
> That's probably the effect of the -d option in the second OUTPUT rule. 
> The server tries to open a data connection to the TCP port 50547 of 
> 192.168.3.34, but this destination address doesn't match the -d option. 
> Try to change -d to -s. Check also that there is no packet filter on the 
> client which may block FTP data connections.

now i used the following rules:
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED \
  -m multiport -p tcp --dports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED \
  -m multiport -p tcp --sports 9621,9721 -s 62.75.128.98/31 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED \
  -m multiport -p tcp --dports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED \
  -m multiport -p tcp --sports 9620,9720 -s 62.75.128.98/31 -j ACCEPT

unfortunately i still get the same result, both with passive and active
ftp.
i understand why passive ftp doesn't work, the ports are simply not open
for the passive connection. but why does active ftp still not work? i
tried from different servers without firewall and without a nat router,
so the client cannot be the problem at all.

do you have any further suggestions?

it would be great to get at least active ftp working.

...
 jonas