LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-12-2006, 06:51 PM   #1
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Rep: Reputation: 30
Proftpd passive connections


I stopped passive connections,they open a too big hole in my firewall 60000:65535 .So to stop it i'm using :
Quote:
<Global>
<Limit EPSV PASV>
Deny All
</Limit>
</Global>
taken from proftpd.org ... but i can't connect anymore to my ftp ... My question is:how much important are passives connnections in ftp,second:can i by connection tracking in iptables do without opening a hole of 55535 ports ??
Thanks.

 
Old 06-14-2006, 09:02 PM   #2
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Original Poster
Rep: Reputation: 30
I don't think i'm asking the world ... (lots of my posts stay to 0 ... )
Anyway i saw passive connections are important for ftp the problem is on the firewall script for a ftp server behind NAT.
On proftpd i have PassivePorts 60000 65534
Quote:
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
$IPT -t nat -I PREROUTING -p tcp -i eth0 -d 192.168.0.2 --dport 60000:65534 --to 192.168.1.6:60000:65534
offcourse that's wrong:
Quote:
iptables v1.2.11: Unknown arg `--to'
Try `iptables -h' or 'iptables --help' for more information.
How do i make a prerouting for a range of ports ???
Simple isn't ???

Last edited by gabsik; 06-14-2006 at 09:50 PM.
 
Old 06-15-2006, 03:23 AM   #3
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Your firewall rule doesn't tell iptables what to do with packets that match it. So you'll need to add a "if-the-packet-matches-DO-SOMETHING". This *something*, I'm assuming, is DNATing. So here's how the rule should look like:
Code:
$IPT -t nat -I PREROUTING -i eth0 -d 192.168.0.2 -p tcp --dport 60000:65534 -j DNAT --to-address 192.168.0.6
 
Old 06-16-2006, 08:23 PM   #4
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Original Poster
Rep: Reputation: 30
That's how i' m doing and my ftp doesn't work .... STILL!
Quote:
$IPT -t nat -I PREROUTING -p tcp -i eth0 -d 192.168.0.2 --dport 60000:65534 -j DNAT --to 192.168.1.6:60000-65534
Would you give it a try ftp://ftp.gabrix.ath.cx feel free
I missed -j DNAT in the post, not in reality but still ... i would avoid passive connections too many ports to open.
Would be nice a module allowing ftp related connections and who is not, dropped by iptables default.( ??? )

Last edited by gabsik; 06-16-2006 at 09:25 PM.
 
Old 06-17-2006, 02:08 AM   #5
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Tried to connect to the link provided, but no go.

Could you provide more details about your setup:
1) There seems to be 2 private network (192.168.0.0 & 192.168.1.0), is this correct?

Quote:
...the problem is on the firewall script for a ftp server behind NAT
2) Are you applying the firewall rules at the router?

3) Did you try this?
Code:
... -j DNAT --to-address 192.168.1.6

Last edited by Notwerk; 06-17-2006 at 02:09 AM.
 
Old 06-18-2006, 06:18 AM   #6
gabsik
Member
 
Registered: Dec 2005
Location: italia
Distribution: Debian Kali
Posts: 541

Original Poster
Rep: Reputation: 30
I have configured proftpd PassivePorts 60000:65534 on the router ports 20 ,21 and 60000:65534 are open (???) the linuxbox has default input DROP and all this ports are allowed in PREROUTING and DNATted to the FORWARDS chain where offcourse are all allowed ... proftpd looks easy ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ProFTPD hangs on "227 Entering Passive Mode" VirusHater Linux - Newbie 4 06-30-2010 05:26 PM
ProFTPd, Redhat 8.0 and passive mode Slasher Linux - Networking 10 05-09-2008 04:08 PM
passive+active connections and fxp+glftpd NonSumPisces Linux - Newbie 0 08-27-2004 01:39 PM
proftpd, passive mode, and a router.... apberzerk Linux - Networking 2 07-11-2004 07:05 PM
Urgent: Opening ports for passive FTP connections in smoothwall? orange400 Linux - Networking 2 05-27-2004 05:15 AM


All times are GMT -5. The time now is 06:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration