A active FTP server

muppski · 07-26-2005, 04:08 PM

Hey

I've setup a FTP server. (proftpd)
But I need to ensure that people who are behind nat and such can access me too in Active mode (thats what you call non-passive mode right?

Is there anything I can do serverside?
is there anything they can do client side? if then how?

is there something we BOTH need to do?

or just make sure they can connect to me in passive...

mpeg4codec · 07-26-2005, 08:08 PM

If you're both behind NAT, they'll probably have to access you using PASV. I don't think there's any way around that. You could maybe set up a GRE tunnel, but good luck getting that to pass through your router if FTP won't. That would be overkill and more trouble than it's worth, anyway.

Matir · 07-26-2005, 10:04 PM

Actually, if you're both behind NAT, you're generally in for a bit of trouble.

One of the firewalls basically has to be able to track ftp connections (i.e., ipt_conntrack_ftp, IIRC). Or both.

Generally, though, if your firewall is capable of this, and you allow state=RELATED packets, you should be good to go.

muppski · 07-27-2005, 12:32 AM

So basiclly

Code:

iptables -A INPUT -p tcp --dport 21 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Will do?
or is it sport?

Or is this just wrong?

BTW : i got

modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat
in my iptables script

Matir · 07-27-2005, 12:34 AM

Generally speaking, you should accept ESTABLISHED,RELATED on all ports.

muppski · 07-27-2005, 12:47 AM

oh this?

Code:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

btw I noticed you said
ipt_conntrack_ftp
and i have
ip_conntrack_ftp

Are they different?

deoren · 07-27-2005, 01:07 PM

Here is a snippet from an iptables script I run:

Code:

# load ftp connection tracking module if it isn't already loaded
if [ ! `lsmod 2>/dev/null | grep -q "ip_conntrack_ftp"` ]; then
    modprobe ip_conntrack_ftp ports=21
fi

# load ftp nat module if it isn't already loaded
# From my own trial and efforts, this module is needed
# in order to successfully do a list on a remote host.
# This is because with passive ftp the server tells
# the client which high unprivileged port the client
# needs to connect to.  Without (either this one or 
# above module, not sure which) the module, you would
# have to allow outgoing requests from all unprivileged
# ports. 
# https://lists.netfilter.org/pipermai...ay/011604.html
if [ ! `lsmod 2>/dev/null | grep -q "ip_nat_ftp"` ]; then
    modprobe ip_nat_ftp ports=21

If you're running on an alternate port (from the outside) you'll want to change 21 to whatever you've decided to use.