allowing passive FTP from the outside

Felipe Alfaro Solana lkml at mac.com
Sat Apr 2 10:23:58 UTC 2005 

On 2 Apr 2005, at 11:23, Justin Zygmont wrote:

> I have just run into a new problem with setting up an FTP server.  All 
> I am trying to do is allow FTP access to the server from the outside.  
> When
> I try to login, and type ls, it reports:
>
> ftp: connect: no route to host

The problem is that your firewall is chopping out traffic sent to your 
local port 20/TCP, which is the FTP data channel used by the FTP DATA 
command (used by the LS command, the GET command and so on). See below.

> I know the problem is because a nonexistent iptables rule, i'm just at 
> a
> loss as to what the missing rules should look like.  The only thing 
> that is different in this case is that I need to use port 221 for FTP 
> instead of 21, and I don't see why this should require special 
> routing. ftp_conntrack modules are loaded.  This is the relevant part 
> of my current firewall script.
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [24:1341]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo 
> -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -p icmp -m icmp 
> --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp 
> --dport 221 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp 
> --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp 
> --dport 23 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp 
> --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp 
> --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp 
> --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with 
> icmp-host-prohibited :OUTPUT ACCEPT [1:72]
> -A POSTROUTING -o eth0 -j MASQUERADE

First of all:

1. Did you "modprobe ip_conntrack_ftp" in first place? It's required 
since you are using --state RELATED and FTP, and FTP uses two ports: 21 
control channel, and 20 data channel.

2. I think they "ip_conntrack_ftp" module does only work realiably when 
the FTP data channel is listening on 21/TCP. In your case, you're using 
221/TCP so I think you'll also need to open up explictly port 20/TCP to 
the world.

More information about the fedora-list mailing list