Passive FTP problem with a change of IP address

To: debian-firewall@lists.debian.org
Subject: Passive FTP problem with a change of IP address
From: Frédéric Massot <frederic@juliana-multimedia.com>
Date: Fri, 15 Nov 2013 13:03:19 +0100
Message-id: <[🔎] 52860D87.7070808@juliana-multimedia.com>

Hi,

I have a firewall with iptables rules (kernel 3.10), until now I havealways been able to connect to FTP server in passive or active mode.


Here are the rules I use:

iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p tcp -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE-s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -jACCEPT

I have a problem with the FTP server of one hoster. I connect well, butthe data do not go into passive mode.

I looked at the packets that pass through the firewall with iptraf and Inoticed that the ftp-data connection that was on a different IP address.


Connect to the FTP server (yy.yy.10.2) :
192.168.11.66:59577 --> yy.yy.10.2:21

ftp-data transmission on another IP address (yy.yy.10.10) :
192.168.11.66:32777 --> yy.yy.10.10:30527

ftp-data transmission on the other IP address is blocked by my firewall,it is not considered as RELATED.



- Is it lack any thing in my rules?

- Does the nf_conntrack_ftp module take care of the IP address change?


Regards.
--
==============================================
|              FRÉDÉRIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
| +33.(0)2.97.54.77.94  +33.(0)6.67.19.95.69 |
===========================Debian=GNU/Linux===

Reply to:

Follow-Ups:
- Re: Passive FTP problem with a change of IP address
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Next by Date: Re: Passive FTP problem with a change of IP address
Next by thread: Re: Passive FTP problem with a change of IP address
Index(es):
- Date
- Thread