From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@lists.netfilter.org
Subject: Re: how to set ports for ip_conntrack_ftp
Date: Sun, 03 Sep 2006 19:35:36 +0200 [thread overview]
Message-ID: <44FB1268.4000102@plouf.fr.eu.org> (raw)
In-Reply-To: <20060903162926.GA4573@freesources.org>
Jonas Meurer a écrit :
>>
>>>i would like to support both active and passive mode.
>>
>>To allow active mode you'll have to perform two actions :
[...]
I meant "passive", of course.
> this is a big problem, as the ftp-server does not seem to support any
> other configuration than ip and port to listen on. it's the internal
> zope ftp-server (Medusa Async V1.23 [experimental]).
Well, so I'm afraid that you have to forget about passive mode, unless
you allow incoming connections to the whole port range defined in
/proc/sys/net/ipv4/ip_local_port_range. I guess it is not what you want.
> now i used the following rules:
> iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED \
> -m multiport -p tcp --dports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED \
> -m multiport -p tcp --sports 9621,9721 -s 62.75.128.98/31 -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED \
> -m multiport -p tcp --dports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED \
> -m multiport -p tcp --sports 9620,9720 -s 62.75.128.98/31 -j ACCEPT
>
> unfortunately i still get the same result, both with passive and active
> ftp.
> i understand why passive ftp doesn't work, the ports are simply not open
> for the passive connection. but why does active ftp still not work? i
> tried from different servers without firewall and without a nat router,
> so the client cannot be the problem at all.
>
> do you have any further suggestions?
Run a packet sniffer on the server, start a local FTP session in active
mode, watch the traffic and check that the data connection uses port
9620/9621 as expected.
Run a packet sniffer on both the client and the server and watch the FTP
session.
If acceptable, try to allow by address any traffic between your client
and the server.
I noticed that your client had a private IP address 192.168.x.x. Is
there a NAT device between the client and the server ? If yes, is this
NAT device aware that you do FTP on non standard ports ?
What is the delay between the two following lines during a LIST attempt
in active mode :
> <--- 150 Opening ASCII mode data connection for file list
> <--- 426 Connection closed; transfer aborted
No delay ?
Some delay ?
Hang until you abort ?
next prev parent reply other threads:[~2006-09-03 17:35 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-31 15:11 how to set ports for ip_conntrack_ftp Jonas Meurer
[not found] ` <000601c6cd14$e07a28a0$0101000a@tanjian>
2006-08-31 15:57 ` 'Jonas Meurer'
2006-08-31 16:28 ` Rob Sterenborg
2006-09-01 7:24 ` Jan Engelhardt
2006-08-31 16:44 ` Pascal Hambourg
2006-09-01 1:20 ` Jonas Meurer
2006-09-01 2:22 ` Pascal Hambourg
2006-09-02 14:27 ` Jonas Meurer
2006-09-02 15:17 ` Pascal Hambourg
2006-09-03 16:29 ` Jonas Meurer
2006-09-03 17:35 ` Pascal Hambourg [this message]
2006-08-31 17:30 ` Damjan
2006-08-31 22:48 ` Jonas Meurer
2006-09-01 5:59 ` Rob Sterenborg
2006-09-02 14:29 ` Jonas Meurer
2006-09-02 15:16 ` Steffen Heil
2006-09-02 16:14 ` Rob Sterenborg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44FB1268.4000102@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.