I am having a lot of trouble getting passive ftp working nicely with iptables. Before anyone replies, I am not looking for an alternative to ftp. I know of alternatives, but I require ftp.
These are my firewall rules.
Code:
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables -A TCP -p tcp --dport 41144 -j ACCEPT
iptables -A TCP -p tcp --dport 443 -j ACCEPT
iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A TCP -p tcp --dport 25 -j ACCEPT
iptables -A TCP -p tcp --dport 22 -j ACCEPT
iptables -A TCP -p tcp --dport 21 -j ACCEPT
iptables -A UDP -p udp --dport 443 -j ACCEPT
iptables -A UDP -p udp --dport 80 -j ACCEPT
I have verified via /proc/config.gz that the modules needed are loaded. Such as nf_conntrack_ftp.
With iptables turned off, ftp works without problems. With iptables turned on, ftp passive mode does not work.
I created a conf file in /etc/modprobe.d/ called ip_conntrack_ftp.conf and added the following:
Code:
options nf_conntrack_ftp ports=21
options nf_nat_ftp ports=21
options ip_conntrack_ftp ports=21
options ip_nat_ftp ports=21
Nothing seems get passive port working. I can see the ftp port connection listening with "netstat -tapn" when my ftp client initiates a PASV connection. But it just hangs.
I would like to get this working without having to open the full range of PASV ports. Any suggestions would be appreciated.
FAQ
Search
Members
Register
Login [ Anonymous ]
