allowing passive FTP from the outside
Felipe Alfaro Solana
lkml at mac.com
Sat Apr 2 10:23:58 UTC 2005
On 2 Apr 2005, at 11:23, Justin Zygmont wrote:
> I have just run into a new problem with setting up an FTP server. All
> I am trying to do is allow FTP access to the server from the outside.
> When
> I try to login, and type ls, it reports:
>
> ftp: connect: no route to host
The problem is that your firewall is chopping out traffic sent to your
local port 20/TCP, which is the FTP data channel used by the FTP DATA
command (used by the LS command, the GET command and so on). See below.
> I know the problem is because a nonexistent iptables rule, i'm just at
> a
> loss as to what the missing rules should look like. The only thing
> that is different in this case is that I need to use port 221 for FTP
> instead of 21, and I don't see why this should require special
> routing. ftp_conntrack modules are loaded. This is the relevant part
> of my current firewall script.
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [24:1341]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo
> -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -p icmp -m icmp
> --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp
> --dport 221 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp
> --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp
> --dport 23 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp
> --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp
> --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp
> --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with
> icmp-host-prohibited :OUTPUT ACCEPT [1:72]
> -A POSTROUTING -o eth0 -j MASQUERADE
First of all:
1. Did you "modprobe ip_conntrack_ftp" in first place? It's required
since you are using --state RELATED and FTP, and FTP uses two ports: 21
control channel, and 20 data channel.
2. I think they "ip_conntrack_ftp" module does only work realiably when
the FTP data channel is listening on 21/TCP. In your case, you're using
221/TCP so I think you'll also need to open up explictly port 20/TCP to
the world.
More information about the fedora-list
mailing list