[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Passive FTP problem with a change of IP address


I have a firewall with iptables rules (kernel 3.10), until now I have always been able to connect to FTP server in passive or active mode.

Here are the rules I use:

iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p tcp -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j ACCEPT

I have a problem with the FTP server of one hoster. I connect well, but the data do not go into passive mode.

I looked at the packets that pass through the firewall with iptraf and I noticed that the ftp-data connection that was on a different IP address.

Connect to the FTP server (yy.yy.10.2) : --> yy.yy.10.2:21

ftp-data transmission on another IP address (yy.yy.10.10) : --> yy.yy.10.10:30527

ftp-data transmission on the other IP address is blocked by my firewall, it is not considered as RELATED.

- Is it lack any thing in my rules?

- Does the nf_conntrack_ftp module take care of the IP address change?

|              FRÉDÉRIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
| +33.(0)  +33.(0) |

Reply to: