-   Linux - Networking (
-   -   Active FTP Client Problems (

Sarcha 06-28-2005 03:24 PM

Active FTP Client Problems
I am having problems getting a machine to do automatic updates behind my firewall. Apparently the program uses an active ftp connection back to there server. I currently have a linux machine running gShield and was wondering what rules i would need to create to get just the one machine to be able to do active transfers. I think i need something like accept connections from on port 20 to high ports on destination client. Any help would be great I'm a little new to the whole IP Tables thing.


vimico 06-28-2005 06:12 PM

The most promising route is to check the configuration file of your update program to use passive ftp, thus avoiding the problem in the first place.

If this is not possible:

I don't know gShield, but it seems it uses iptables.

iptables can be instructed to let related connections back in. You might find an iptables rule containing "--state ESTABLISHED,RELATED -j ACCEPT".

In order to determine what a "related" connection is, the modules ip_conntrack and ip_conntrack_ftp must be loaded.

This module listens in to the conversation between your program and the ftp server and determines what ports will be used. It then opens these ports.

The simplest way of loading these modules is a

modprobe ip_conntrack
modprobe ip_conntrack_ftp

at the beginning of the firewall script. But I don't know how to tell gShield to do that.

There is another pitfall. If the ftp server does not use the standard ftp port (21), the module will miss that conversation and will not open the ports.

In short, try to find the "passive ftp" setting in the update program :)

Sarcha 06-29-2005 03:59 PM

Thanks for your help...I think I got things figured out. I couldn't get the updater to use Passive mode or I would have done that to save some time. These are the two rules I ended up creating....

iptables -A INPUT -p tcp -s <FTP CLIENT IP> --dport ftp -j ACCEPT
iptables -A INPUT -p tcp -s <FTP CLIENT IP> -m state --state RELATED,ESTABLISHED -j ACCEPT

I also had to run the following commands as mentioned in the previous post....

modprobe ip_conntrack
modprobe ip_conntrack_ftp

I found that I also had to load the following

modprobe ip_nat_ftp

This is only if you server is running NAT as well though.

Hope this helps someone else with the same issue and once again thanks for the help!


All times are GMT -5. The time now is 08:13 PM.