Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 06-28-2005, 03:24 PM   #1
LQ Newbie
Registered: Feb 2003
Posts: 15

Rep: Reputation: 0
Active FTP Client Problems

I am having problems getting a machine to do automatic updates behind my firewall. Apparently the program uses an active ftp connection back to there server. I currently have a linux machine running gShield and was wondering what rules i would need to create to get just the one machine to be able to do active transfers. I think i need something like accept connections from on port 20 to high ports on destination client. Any help would be great I'm a little new to the whole IP Tables thing.

Old 06-28-2005, 06:12 PM   #2
Registered: Jan 2004
Distribution: Debian, Ubuntu
Posts: 118

Rep: Reputation: 15
The most promising route is to check the configuration file of your update program to use passive ftp, thus avoiding the problem in the first place.

If this is not possible:

I don't know gShield, but it seems it uses iptables.

iptables can be instructed to let related connections back in. You might find an iptables rule containing "--state ESTABLISHED,RELATED -j ACCEPT".

In order to determine what a "related" connection is, the modules ip_conntrack and ip_conntrack_ftp must be loaded.

This module listens in to the conversation between your program and the ftp server and determines what ports will be used. It then opens these ports.

The simplest way of loading these modules is a
modprobe ip_conntrack
modprobe ip_conntrack_ftp
at the beginning of the firewall script. But I don't know how to tell gShield to do that.

There is another pitfall. If the ftp server does not use the standard ftp port (21), the module will miss that conversation and will not open the ports.

In short, try to find the "passive ftp" setting in the update program
Old 06-29-2005, 03:59 PM   #3
LQ Newbie
Registered: Feb 2003
Posts: 15

Original Poster
Rep: Reputation: 0
Thanks for your help...I think I got things figured out. I couldn't get the updater to use Passive mode or I would have done that to save some time. These are the two rules I ended up creating....

iptables -A INPUT -p tcp -s <FTP CLIENT IP> --dport ftp -j ACCEPT
iptables -A INPUT -p tcp -s <FTP CLIENT IP> -m state --state RELATED,ESTABLISHED -j ACCEPT

I also had to run the following commands as mentioned in the previous post....

modprobe ip_conntrack
modprobe ip_conntrack_ftp

I found that I also had to load the following

modprobe ip_nat_ftp

This is only if you server is running NAT as well though.

Hope this helps someone else with the same issue and once again thanks for the help!



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
problems with ftp client eastcoasteh Linux - Newbie 2 10-24-2005 02:04 PM
Problems with FTP client under RedHat 9.0 mlse Linux - Networking 7 06-20-2005 04:00 AM
FTP: active and passive mode problem with some windows client tda71 Linux - Networking 2 06-14-2005 08:31 AM
Problems with ftp-client Ephracis Linux - Software 0 11-04-2004 07:48 AM
vmware active ftp problems (nat) tumnus Linux - Newbie 0 02-10-2003 01:33 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:16 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration