Passive FTP problem with a change of IP address
I have a firewall with iptables rules (kernel 3.10), until now I have
always been able to connect to FTP server in passive or active mode.
Here are the rules I use:
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE
-s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j
I have a problem with the FTP server of one hoster. I connect well, but
the data do not go into passive mode.
I looked at the packets that pass through the firewall with iptraf and I
noticed that the ftp-data connection that was on a different IP address.
Connect to the FTP server (yy.yy.10.2) :
192.168.11.66:59577 --> yy.yy.10.2:21
ftp-data transmission on another IP address (yy.yy.10.10) :
192.168.11.66:32777 --> yy.yy.10.10:30527
ftp-data transmission on the other IP address is blocked by my firewall,
it is not considered as RELATED.
- Is it lack any thing in my rules?
- Does the nf_conntrack_ftp module take care of the IP address change?
| FRÉDÉRIC MASSOT |
| http://www.juliana-multimedia.com |
| mailto:email@example.com |
| +33.(0)188.8.131.52.94 +33.(0)184.108.40.206.69 |