allowing passive FTP from the outside

Robert Slade fedora at bathnetworks.com
Sun Apr 3 07:04:21 UTC 2005


On Sat, 2005-04-02 at 22:33, Justin Zygmont wrote:
> On Sat, 2 Apr 2005, Markku Kolkka wrote:
> 
> > Justin Zygmont kirjoitti viestissään (lähetysaika lauantai, 2.
> > huhtikuuta 2005 12:23):
> >> I know the problem is because a nonexistent iptables rule, i'm
> >> just at a loss as to what the missing rules should look like.
> >> The only thing that is different in this case is that I need
> >> to use port 221 for FTP instead of 21,
> >
> > That's what breaks everything. The FTP control connection must be
> > on server port 21. Using a different port violates RFC 959 and
> > ip_conntrack_ftp doesn't watch any other port for FTP traffic.
> 
> are you sure ftp_conntrack is even needed?  I thought that's usually used 
> just for stateful routing through a server, and not to connect to one from 
> the outside.  Also when I shut iptables down, it works, I can get a ftp 
> listing.
> 
> ______________________________________________________________________
Yes it does. ftp_contrack etc monitors the trafic on port 21 and
dynamically opens the higher no (data) ports that the control on port 21
asks for. Turning off iptables just opens all the ports.

If you are using vsftp, then you can set the ports used by passive ftp
and then open them in iptables, but this is a risk as they can be
abused. This may be possible with other ftp servers.

Rob






More information about the users mailing list