[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Passive FTP problem with a change of IP address



Hello,

Frédéric Massot a écrit :
> Hi,
> 
> I have a firewall with iptables rules (kernel 3.10), until now I have 
> always been able to connect to FTP server in passive or active mode.
> 
> Here are the rules I use:
> 
> iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> iptables -A FORWARD -p tcp -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE 
> -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j 
> ACCEPT
> 
> 
> I have a problem with the FTP server of one hoster. I connect well, but 
> the data do not go into passive mode.
> 
> I looked at the packets that pass through the firewall with iptraf and I 
> noticed that the ftp-data connection that was on a different IP address.
> 
> Connect to the FTP server (yy.yy.10.2) :
> 192.168.11.66:59577 --> yy.yy.10.2:21
> 
> ftp-data transmission on another IP address (yy.yy.10.10) :
> 192.168.11.66:32777 --> yy.yy.10.10:30527
> 
> ftp-data transmission on the other IP address is blocked by my firewall, 
> it is not considered as RELATED.

By default the FTP connection tracking module nf_conntrack_ftp checks
that the advertised address matches the source address. You may try to
add the option loose=1 when loading the module.
Or you could set your FTP client to use extended passive mode (EPSV),
which does not advertise a passive address.


Reply to: