allowing passive FTP from the outside
Aleksandar Milivojevic
amilivojevic at pbl.ca
Mon Apr 4 18:34:05 UTC 2005
Justin Zygmont wrote:
> I know the problem is because a nonexistent iptables rule, i'm just at a
> loss as to what the missing rules should look like. The only thing that
> is different in this case is that I need to use port 221 for FTP instead
> of 21, and I don't see why this should require special routing.
> ftp_conntrack modules are loaded. This is the relevant part of my
> current firewall script.
Since you are using non-standard port, you need to tell connection
tracking and NAT modules ports they need to watch (by default, they
watch only port 21):
# modprobe ip_conntrack_ftp ports=21,221
Depending on your network configuration, you may or may not need
additional ports for ip_nat_ftp. If you are running ftp server on your
NAT-ing firewall (as it appears to be the case), you don't need it,
since no NAT-ing is occuring for incomming traffic. If your FTP server
is behind the firewall (DNAT), than you would need to instruct
ip_nat_ftp about changed port too.
In case you need it, here's the line:
# modprobe ip_nat_ftp ports=21,221
Make sure you first load ip_conntract_ftp (since ip_nat_ftp would cause
ip_conntract_ftp to be autoloaded, probably with default port number).
Note that you'll need to unload those two modules prior to doing
modprobe (if they were already loaded).
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list