Re: [SLUG] Centos -vsftpd-passive mode-firewall

From: Ian C. Blenke (ian@blenke.com)
Date: Sat Oct 29 2005 - 18:21:15 EDT


Russ Wright wrote:
> Hello Sluggers.
>
> So I read the manual for vsftpd & iptables and I'm still not sure how to
> make this work. I have a small server with Centos 4.2 running vsftpd
> with the firewall enabled. I cannot get passive ftp mode to work. I
> think it is the firewall blocking the ports but I'm not sure how to get
> this all going.
>
> I think I have to enable passive mode and set the lowest port number
> that can be used in vsftpd.conf but then how do I set up the firewall to
> let those ports work?
>
> Can anyone assist?
Try using the ftp connection tracking kernel module:

    modprobe ip_conntrack_ftp
    iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
-j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

This should setup an "established" connection for the initial port 21
connection, and the ip_conntrack_ftp module will mark all "related"
connections in relation to that connection.

Hope this helps..

 - Ian C. Blenke <ian@blenke.com> http://ian.blenke.com

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:56:41 EDT