Search This Blog

Monday, November 18, 2013

Re: Passive FTP problem with a change of IP address

Le 16/11/2013 13:50, Pascal Hambourg a écrit :
> Hello,
>
> Frédéric Massot a écrit :
>> Hi,
>>
>> I have a firewall with iptables rules (kernel 3.10), until now I have
>> always been able to connect to FTP server in passive or active mode.
>>
>> Here are the rules I use:
>>
>> iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> iptables -A FORWARD -p tcp -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE
>> -s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j
>> ACCEPT
>>
>>
>> I have a problem with the FTP server of one hoster. I connect well, but
>> the data do not go into passive mode.
>>
>> I looked at the packets that pass through the firewall with iptraf and I
>> noticed that the ftp-data connection that was on a different IP address.
>>
>> Connect to the FTP server (yy.yy.10.2) :
>> 192.168.11.66:59577 --> yy.yy.10.2:21
>>
>> ftp-data transmission on another IP address (yy.yy.10.10) :
>> 192.168.11.66:32777 --> yy.yy.10.10:30527
>>
>> ftp-data transmission on the other IP address is blocked by my firewall,
>> it is not considered as RELATED.
>
> By default the FTP connection tracking module nf_conntrack_ftp checks
> that the advertised address matches the source address. You may try to
> add the option loose=1 when loading the module.
> Or you could set your FTP client to use extended passive mode (EPSV),
> which does not advertise a passive address.

Thank you for the help.

The "loose = 1" option works well, I am able to connect and list files.

I have not found EPSV setting in filezilla or in the ftp command line
(netkit-ftp).


--
==============================================
| FRÉDÉRIC MASSOT |
| http://www.juliana-multimedia.com |
| mailto:frederic@juliana-multimedia.com |
| +33.(0)2.97.54.77.94 +33.(0)6.67.19.95.69 |
===========================Debian=GNU/Linux===


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/528A1B3E.5010407@juliana-multimedia.com
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)