[TriLUG] Curious VSFTP issue

Dave Sorenson dave at logicalgeek.com
Thu Dec 8 15:21:21 EST 2005 

THANK YOU! adding the IPTABLES_MODULES="ip_conntrack_ftp" in config did 
it. Once again Trilugers to the rescue!

Dave S

Matt McGrievy wrote:
>
> I don't claim to be an iptables expert, but I had to deal with this 
> issue not too long ago.
>
> You have to tell iptables to let related and established connections 
> through.  Joe already mentioned using ip_conntrack_ftp to keep track 
> of ftp connections related to existing port 21 sessions, but to 
> reiterate, add the following to /etc/sysconfig/iptables-config (in 
> RHEL 3.0):
>
> IPTABLES_MODULES="ip_conntrack_ftp"
>
> ...then make sure you have this iptables rule:
>
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> I believe you could tighten things up by adding port 21 as the 
> destination above.  When you restart iptables, it should tell you it's 
> loading the ip_conntrack_ftp module and let passive ftp through properly.
>
> -Matt
>
> Matt Pusateri wrote:
>> On a related note, I am not a IP tables guru :(  What rules do I have
>> to add to let passive FTP in.  Do I just have to allow what ever high
>> port range I have specifired in my ftp config?
>>
>> Matt P.
>>
>> On Wed, December 7, 2005 5:32 pm, Dave Sorenson wrote:
>>
>>> I'd agree except for the observation it was still not working when I
>>> turned off the firewall entirely to make sure it was not a firewall
>>> problem.
>>>
>>> Thanks for the thought though!
>>>
>>> Dave
>>>
>>> Joseph Mack NA3T wrote:
>>>
>>>> On Wed, 7 Dec 2005, Dave Sorenson wrote:
>>>>
>>>>
>>>>>>>>> directory listing. I've tried both passive and active modes
>>>>>>>>> with
>>>>>>>>> multiple FTP clients, scoured the vsftpd.conf, firewall is open
>>>>>>>>> on 20
>>>>>>>>> and 21 (I even tried disabling the firewall briefly to make
>>>>>>>>> sure
>>>>>>>>> that
>>>>>>>>> was not the problem) but no luck. anyone ever see this before?
>>>>
>>>> VSFTP in active mode calls from a high (>1024) port rather than port
>>>> 20. This is to allow it to run without root privileges. watch it
>>>> with
>>>> netcat
>>>>
>>>>
>>>>>>> Sounds like passive FTP not getting through the firewall.  Try
>>>>>>> doing a
>>>>>>> 'modprobe
>>>>>>> ip_conntrack_ftp' on the server, or seeing if you can force your
>>>>>>> client to
>>>>>>> use
>>>>>>> active mode only.
>>>>
>>>> iptables "RELATED" knows about the calling port
>>>>
>>>> Joe
>>>>
>>>
>>> -- 
>>> TriLUG mailing list        :
>>> http://www.trilug.org/mailman/listinfo/trilug
>>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>>
>>
>>
>>

More information about the TriLUG mailing list