Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was hopping that somebody could help me with what looks like a firewall issue on the clients side.
We run an FTP server in house and it works for most all people trying to connect
The clients having trouble are ones running Linux (specifically redhat 7.x and above) and using windows boxes to connect with ftp clients to our server.
If the clients uses passive mode they connect OK but can't do things like create directories or upload files. Change directory seems to work OK.
If they use active mode they can't connect at all or have great troubles doing it.
I have ip_conntrack_ftp module running on their end so that can't be it. We even opened them up the ports quite a lot and still no go.
If I run an FTP session from that Linux box it connects perfect so I am assuming it has something to do with either the client OR IPTABLES.
However here is the wierd part. IE doesn't work, Command line doesn't work, BUT WS-FTP LE works awesome. Not sure what it does special but it works. Problem is that people won't just use that. They want their stuff to work.
active ftp is a bit of a bugger. It uses port 21 to send commands etc and port 20 to send data. You have the conntrack module loaded so you need to configure the states to make this work. For passive FTP an ESTABLISHED connection is suffiecient but because active FTP uses a different port for the data you need to use the REALTED state. Check out http://www.sns.ias.edu/~jns/security...conntrack.html for a good description of this, down the bottom of the document there is a description of the state youneed to set for active (and passive) ftp to work.
does LIST work? or can they only change directories if they know where the directory is. In other words do they log in send LIST and get the list of files? If they do then maybe it is a permission thing, although if WS FTP works then maybe not.
nothing in the logs that sheds any light? does it work on a machine on the local network (may prove whether it is iptables or something in the ftp setup, assuming that your local rules are fairly open) I guess you could log a session with tcpdump and run it though ethereal to see what might be going on.
Do you log dumped packets with iptables? If you don't that may also be worth trying see if after they connect packets start getting dumped. Just a the -LOG command before the final DROP
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.