Yeah, that did it. For some reason I was thinking I had to explicitly allow high ports for passive ftp in iptables, but it seems the ip_conntrack_ftp in conjunction with the RELATED parameter works like a charm.
Matt P. On Thu, December 8, 2005 12:12 pm, Matt McGrievy wrote: > > I don't claim to be an iptables expert, but I had to deal with this > issue not too long ago. > > You have to tell iptables to let related and established connections > through. Joe already mentioned using ip_conntrack_ftp to keep track > of > ftp connections related to existing port 21 sessions, but to > reiterate, > add the following to /etc/sysconfig/iptables-config (in RHEL 3.0): > > IPTABLES_MODULES="ip_conntrack_ftp" > > ...then make sure you have this iptables rule: > > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > I believe you could tighten things up by adding port 21 as the > destination above. When you restart iptables, it should tell you it's > loading the ip_conntrack_ftp module and let passive ftp through > properly. > > -Matt > > Matt Pusateri wrote: >> On a related note, I am not a IP tables guru :( What rules do I >> have >> to add to let passive FTP in. Do I just have to allow what ever >> high >> port range I have specifired in my ftp config? >> >> Matt P. >> >> On Wed, December 7, 2005 5:32 pm, Dave Sorenson wrote: >> >>>I'd agree except for the observation it was still not working when I >>>turned off the firewall entirely to make sure it was not a firewall >>>problem. >>> >>>Thanks for the thought though! >>> >>>Dave >>> >>>Joseph Mack NA3T wrote: >>> >>>>On Wed, 7 Dec 2005, Dave Sorenson wrote: >>>> >>>> >>>>>>>>>directory listing. I've tried both passive and active modes >>>>>>>>>with >>>>>>>>>multiple FTP clients, scoured the vsftpd.conf, firewall is >>>>>>>>> open >>>>>>>>>on 20 >>>>>>>>>and 21 (I even tried disabling the firewall briefly to make >>>>>>>>>sure >>>>>>>>>that >>>>>>>>>was not the problem) but no luck. anyone ever see this before? >>>> >>>>VSFTP in active mode calls from a high (>1024) port rather than >>>> port >>>>20. This is to allow it to run without root privileges. watch it >>>>with >>>>netcat >>>> >>>> >>>>>>>Sounds like passive FTP not getting through the firewall. Try >>>>>>>doing a >>>>>>>'modprobe >>>>>>>ip_conntrack_ftp' on the server, or seeing if you can force your >>>>>>>client to >>>>>>>use >>>>>>>active mode only. >>>> >>>>iptables "RELATED" knows about the calling port >>>> >>>>Joe >>>> >>> >>>-- >>>TriLUG mailing list : >>>http://www.trilug.org/mailman/listinfo/trilug >>>TriLUG Organizational FAQ : http://trilug.org/faq/ >>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ >>> >> >> >> > -- > TriLUG mailing list : > http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
