Hello, Frédéric Massot a écrit : > Hi, > > I have a firewall with iptables rules (kernel 3.10), until now I have > always been able to connect to FTP server in passive or active mode. > > Here are the rules I use: > > iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT > > iptables -A FORWARD -p tcp -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE > -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j > ACCEPT > > > I have a problem with the FTP server of one hoster. I connect well, but > the data do not go into passive mode. > > I looked at the packets that pass through the firewall with iptraf and I > noticed that the ftp-data connection that was on a different IP address. > > Connect to the FTP server (yy.yy.10.2) : > 192.168.11.66:59577 --> yy.yy.10.2:21 > > ftp-data transmission on another IP address (yy.yy.10.10) : > 192.168.11.66:32777 --> yy.yy.10.10:30527 > > ftp-data transmission on the other IP address is blocked by my firewall, > it is not considered as RELATED.
By default the FTP connection tracking module nf_conntrack_ftp checks that the advertised address matches the source address. You may try to add the option loose=1 when loading the module. Or you could set your FTP client to use extended passive mode (EPSV), which does not advertise a passive address. -- To UNSUBSCRIBE, email to debian-firewall-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52876a2f.6090...@plouf.fr.eu.org
