[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: allowing passive FTP from the outside

From: Felipe Alfaro Solana <lkml mac com>
To: For users of Fedora Core releases <fedora-list redhat com>
Subject: Re: allowing passive FTP from the outside
Date: Sat, 2 Apr 2005 12:23:58 +0200

On 2 Apr 2005, at 11:23, Justin Zygmont wrote:

I have just run into a new problem with setting up an FTP server. All I am trying to do is allow FTP access to the server from the outside. When I try to login, and type ls, it reports:

ftp: connect: no route to host

The problem is that your firewall is chopping out traffic sent to your local port 20/TCP, which is the FTP data channel used by the FTP DATA command (used by the LS command, the GET command and so on). See below.

I know the problem is because a nonexistent iptables rule, i'm just at a loss as to what the missing rules should look like. The only thing that is different in this case is that I need to use port 221 for FTP instead of 21, and I don't see why this should require special routing. ftp_conntrack modules are loaded. This is the relevant part of my current firewall script.

:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [24:1341] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 221 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited :OUTPUT ACCEPT [1:72] -A POSTROUTING -o eth0 -j MASQUERADE

First of all:

1. Did you "modprobe ip_conntrack_ftp" in first place? It's required since you are using --state RELATED and FTP, and FTP uses two ports: 21 control channel, and 20 data channel.

2. I think they "ip_conntrack_ftp" module does only work realiably when the FTP data channel is listening on 21/TCP. In your case, you're using 221/TCP so I think you'll also need to open up explictly port 20/TCP to the world.

References:
- allowing passive FTP from the outside
  - From: Justin Zygmont

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]