iptables ftp conntrack using port != 21

03-12-2008, 10:28 AM

Hi everyone,

I want to run the ftp server of my linux box on a non-standard port
(say, 20 for data but 666 for handshake). The problem is that
obviously the connection tracking module in iptables only works with
ports 20/21. If I check my logs I see that the client's LIST command
is recognized as a NEW connection if my ftp server is set to use port
666.
Is this a fact or am I just missing some setting?

Thanks in advance,
Eric

03-12-2008, 12:55 PM

Hello,

Eric a écrit :
>
> I want to run the ftp server of my linux box on a non-standard port
> (say, 20 for data but 666 for handshake). The problem is that
> obviously the connection tracking module in iptables only works with
> ports 20/21.

AFAIK port 20 is not involved in FTP connection tracking as it does not
appear in port/passive commands.

> If I check my logs I see that the client's LIST command
> is recognized as a NEW connection if my ftp server is set to use port
> 666.
> Is this a fact or am I just missing some setting?

Hint : modinfo ip_conntrack_ftp (or nf_conntrack_ftp on recent kernels)

03-13-2008, 05:23 AM

Eric wrote:
> Hi everyone,
>
> I want to run the ftp server of my linux box on a non-standard port
> (say, 20 for data but 666 for handshake). The problem is that
> obviously the connection tracking module in iptables only works with
> ports 20/21. If I check my logs I see that the client's LIST command
> is recognized as a NEW connection if my ftp server is set to use port
> 666.
> Is this a fact or am I just missing some setting?
>

you could load ip_conntrack_ftp module with another port in configuration

modprobe ip_conntrack_ftp ports=21,<port>

> Thanks in advance,
> Eric

03-13-2008, 09:21 AM

On 13 Mrz., 07:23, Philippe Weill <Philippe.We...@aero.jussieu.fr>
wrote:

> modprobe ip_conntrack_ftp ports=21,<port>

Ah, thanks, obviously this is exactly what I was looking for.

Btw, I'm using a 99% monolithic kernel, so what does the boot
parameter look like? Is it

ip_conntrack_ftp.ports=<xxx>

(I'm using lilo but that shouldn't influence the parameter syntax)?

Regards, Eric

03-13-2008, 03:34 PM

Eric wrote:
> On 13 Mrz., 07:23, Philippe Weill <Philippe.We...@aero.jussieu.fr>
> wrote:
>
>> modprobe ip_conntrack_ftp ports=21,<port>
>
> Ah, thanks, obviously this is exactly what I was looking for.

> Btw, I'm using a 99% monolithic kernel, so what does the boot
> parameter look like? Is it
>
> ip_conntrack_ftp.ports=<xxx>

perhaps it's a mistake but I think you couldn't if not in module

>
> (I'm using lilo but that shouldn't influence the parameter syntax)?
>
> Regards, Eric

03-14-2008, 06:58 AM

On 13 Mrz., 17:34, Philippe Weill <Philippe.We...@aero.jussieu.fr>
wrote:

> perhaps it's a mistake but I think you couldn't if not in module

Hmm, I thought this was the standard syntax for in-kernel "modules".
Isn't anyone out there who knows for sure?

Regards, Eric

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
iptables / recent regarding port 113	E. Pluribus	Linux Networking	1	06-02-2008 08:10 PM
need help on port forward using iptables.	jsuthan	Linux Networking	7	01-21-2006 01:53 AM
iptables DNS port	Baho Utot	Linux Networking	2	02-14-2005 04:07 PM
iptables DNS port	Baho Utot	Linux Networking	0	02-09-2005 08:58 PM
iptables port forwarding	anonymous	Linux Networking	1	01-22-2004 09:25 AM