Iptables creates ftp problem

Discussion in 'Linux Networking' started by B H, Dec 15, 2004.

  1. B H

    B H Guest

    I've had some ftp-problems with my Linux-box (fedora core 3) when
    connecting to a Windows ftp server at my isp which requires active
    mode. The ftp session freezez after loging when I try to do e.g. a LIST
    command.
    I have had some problems identifying the source of the error, but last
    night I shut off the local firewall by using "iptables stop" command.
    After this I could ftp without problems.

    My Linux-box is behind a router with firewall. The router is doing local
    DHCP. Maybe this could be the source of my problem? I have another
    Windows XP box on the same LAN, and it can ftp to the same server
    without problems (both pc's are set to active mode so this is not the
    problem).
    So there must be some problems with my iptables settings. Any experts
    out there that can shed some lights on the possible problem? See below.

    ===== "Iptables -L" as root ==============
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain RH-Firewall-1-INPUT (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere icmp any
    ACCEPT ipv6-crypt-- anywhere anywhere
    ACCEPT ipv6-auth-- anywhere anywhere
    ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
    ACCEPT udp -- anywhere anywhere udp dpt:ipp
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere state NEW tcp
    dpt:ftp
    ACCEPT tcp -- anywhere anywhere state NEW tcp
    dpt:ssh
    REJECT all -- anywhere anywhere reject-with
    icmp-host-prohibited

    ===============================
    Borge
     
    B H, Dec 15, 2004
    #1
    1. Advertisements

  2. To enable Active mode you need to open the ftp-data port and
    something more. There are some example in the iptable-howto.

    Davide
     
    Davide Bianchi, Dec 15, 2004
    #2
    1. Advertisements

  3. B H

    B H Guest

    iptable-howto? are you talking about iptables man pages?

    Borge
     
    B H, Dec 15, 2004
    #3
  4. :I've had some ftp-problems with my Linux-box (fedora core 3) when
    :connecting to a Windows ftp server at my isp which requires active
    :mode. The ftp session freezez after loging when I try to do e.g. a LIST
    :command.
    :I have had some problems identifying the source of the error, but last
    :night I shut off the local firewall by using "iptables stop" command.
    :After this I could ftp without problems.
    :
    :My Linux-box is behind a router with firewall. The router is doing local
    :DHCP. Maybe this could be the source of my problem? I have another
    :Windows XP box on the same LAN, and it can ftp to the same server
    :without problems (both pc's are set to active mode so this is not the
    :problem).
    :So there must be some problems with my iptables settings. Any experts
    :eek:ut there that can shed some lights on the possible problem? See below.
    [SNIPPED]

    FTP is a complex protocol that involves opening a separate connection
    for the data transfer. An FTP client running in active mode instructs
    the server to open a data connection back to a port number selected by
    the client. If you're not running a connection tracking module that
    knows how to peek inside the FTP control packets and identify that port,
    the server's connection attempt will be rejected by your firewall.

    Your options are:

    a) tell your FTP client to use passive mode, which causes the
    client, not the server, to open the data connection,

    or b) load the kernel's ip_conntrack_ftp module so that the server's
    data connection can be recognized as RELATED.

    I highly recommend that you take a look at Oskar Andreasson's excellent
    _Iptables_Tutorial_, which is available in several forms from

    http://iptables-tutorial.frozentux.net/
     
    Robert Nichols, Dec 15, 2004
    #4
  5. B H

    B H Guest

    In my case this is not an option since I only need access to one
    particular ftp-server, and the one in question requires active mode.
    I did not understand this, but hope that the _Iptables_Tutorial_ mentioned
    below might answer this.
    Thanks!

    Borge
     
    B H, Dec 15, 2004
    #5
  6. Your very first rule here (ACCEPT all -- anywhere anywhere) seems to make
    all succeeding rules irrelevant since ACCEPT identifies a terminal rule.

    Please post your rules without editing.

    Cheers!
     
    Tommy Reynolds, Dec 15, 2004
    #6
  7. B H

    Juha Laiho Guest

    You got the correct answer already - namely that you'll need to load
    the ip_conntrack_ftp module and allow RELATED inbound traffic.
    Or alternatively use passive ftp (how to do this depends on your
    ftp client program).
    Sorry, "iptables -L" is leaving out some of the needed information
    (which pretty badly corrupts some of the rules). Use "iptables -vL"
    instead.
     
    Juha Laiho, Dec 15, 2004
    #7
  8. :message :> Your options are:
    :>
    :> a) tell your FTP client to use passive mode, which causes the
    :> client, not the server, to open the data connection,
    :
    :In my case this is not an option since I only need access to one
    :particular ftp-server, and the one in question requires active mode.
    :
    :> or b) load the kernel's ip_conntrack_ftp module so that the server's
    :> data connection can be recognized as RELATED.
    :
    :I did not understand this, but hope that the _Iptables_Tutorial_ mentioned
    :below might answer this.
    :
    :> I highly recommend that you take a look at Oskar Andreasson's excellent
    :> _Iptables_Tutorial_, which is available in several forms from
    :>
    :> http://iptables-tutorial.frozentux.net/

    The magic incantation needed is to issue the following command (as root):

    modprobe ip_conntrack_ftp

    You can add an "install" line in your /etc/modprobe.conf (assuming your
    system uses that) to make that happen automatically when the system
    boots. See `man modprobe.conf` for details.
     
    Robert Nichols, Dec 16, 2004
    #8
  9. HOWTO documenation are at http://www.tldp.org (search for the 'full
    index').

    Concerning FTP, did you load the ip_conntrack_ftp & ip_nat_ftp modules ?
    (insmod <module>) ? and what are uyour iptables rules ? (iptables -L -vn)


    Regards
     
    Antoine EMERIT, Dec 22, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.