FTP problems on ports other than 21

FTP problems on ports other than 21

[Yannick Cayer]

[-- Attachment #1: Type: text/plain, Size: 397 bytes --]

Greetings,
 
I am usning iptables for my firewall (been 3 years now) and  I am
getting the following issue:
 
I have several customer FTP sites hosted on ports other than 21 (ex:
2001, 2002, 2003 and so on)
 
 
Right now, the only way they can work properly is if I open ports 1024
to 8000 for that machines so the ftp return ports are able to connect.
 
How can I change this?
 
 

[-- Attachment #2: Type: text/html, Size: 1656 bytes --]

RE: FTP problems on ports other than 21

[Rob Sterenborg]

> I have several customer FTP sites hosted on ports other than 
> 21 (ex: 2001, 2002, 2003 and so on)
>  
>  
> Right now, the only way they can work properly is if I open 
> ports 1024 to 8000 for that machines so the ftp return ports 
> are able to connect.

You would need virtual hosting I suppose, this is not a netfilter thing.

Reading this, you can not use name-based virtual hosting with ftp :
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Vhost.ht
ml

It says this :

-------------
The definition of the File Transfer Protocol, unfortunately, does not
(currently) support name-based virtual hosts, as HTTP1.1 supports.
....
The bottom line is that ProFTPD does not support name-based virtual
hosts; not because they are not implemented, but simply because the
protocol itself does not support them. 
-------------

So, the only way to virtual host would be if you have multiple public
IP's on which you run a ftp-site.


Gr,
Rob

Re: FTP problems on ports other than 21

[Julian Gomez]

On Tue, Jul 27, 2004 at 06:55:26AM +0200, Rob Sterenborg spoke thusly:
>> I have several customer FTP sites hosted on ports other than 
>> 21 (ex: 2001, 2002, 2003 and so on)
>>  
>>  
>> Right now, the only way they can work properly is if I open ports
>> 1024 to 8000 for that machines so the ftp return ports are able to
>> connect.
>
>You would need virtual hosting I suppose, this is not a netfilter
>thing.
>
>Reading this, you can not use name-based virtual hosting with ftp :
>http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-Vhost.ht
>ml

If what you want is for conntrack to be able to track ftp data ports,
but where the control channel is not on tcp/21, the modules support
arguments upon loading. `modinfo ip_conntrack_ftp` might help, also
search the mailing list archives.

Its been discussed before, enjoy.

Re: FTP problems on ports other than 21

[Ashutosh]

> If what you want is for conntrack to be able to track ftp data ports,
> but where the control channel is not on tcp/21, the modules support
> arguments upon loading.

Specify all the ports as Additional Module Parameters..

#ifdef MODULE_PARM
MODULE_PARM(ports, "1-" __MODULE_STRING(MAX_PORTS) "i");
#endif

At this moment, MAX_PORTS = 8, I guess.

This will ensure that ur connection tracking and NAT modules will be 
called for all those ports

-- 
Ashutosh Naik
Teneoris Networks India Pvt. Ltd.