ftp slow with iptables

Robert Nichols rnichols42 at comcast.net
Mon Feb 21 05:18:23 UTC 2005 

Troyston Campano wrote:

> On my FC3 machine I run a FTP server (vsftpd). I also run a firewall 
> (iptables).
> 
> I add a rule to my /etc/sysconfig/iptables file:
> 
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j 
> ACCEPT 
> 
>  From my Windows box, I use WS_FTP to connect and all is well….except 
> for the speed of connection. When I turn the firewall off, I can connect 
> within milliseconds. However, when I turn the firewall on it can still 
> connect but it can take up to 20 seconds to make a connection and give 
> my directory listing.

It sounds like WS_FTP is initially trying passive-mode FTP, in which the
server tells the client a port number (not port 20 or 21) to use for the
data connection.  This port number is unknown to your firewall, and it
does not allow the connection.  The FTP client eventually times out and
tries active-mode FTP, in which the _server_ initiates the data
connection, and this works.

You need to install a connection tracking module that knows how to look
inside FTP control packets and find the port number to be used.  Try
running this command (as root):

            modprobe ip_conntrack_ftp

If that solves your problem, you can make the change permanent by
editing /etc/sysconfig/iptables-config .  Near the top, you'll find
a line:

            IPTABLES_MODULES=""

Change this to read:

            IPTABLES_MODULES="ip_conntrack_ftp"

Now the needed module will be installed whenever the iptables
service is started.

There are other solutions:
   a) Make your firewall REJECT, rather than DROP, the passive-mode
      connection attempt.  That way the client won't have to wait for
      a timeout.
   b) Tell your WS_FTP client to use only active-mode FTP, but that
      can run into the same problem if you start running a firewall
      on the client machine, or if the client tries to run an FTP
      session through a NAT gateway.

The _right_ solution is to install the needed tracking module.

--
Bob Nichols         rnichols42 at comcast.net

More information about the fedora-list mailing list