Hi there,
I'm using iptables with modules ip_contrack_ftp to be able to use passive ftp. It works well as long as port 21 is being used as listening port. Is there any way to make it work when I configure my ftp server (vsftpd) to listen on an alternative port, lets say 21001 or something?
The helper module only seems to be working properly with the standard port, so I was wondering whether there was a way to "tell it" that another port is being used? I mean, of course I make a rule in fw to allow traffic to the alternative port, but once it's time to start passive connection, then the iptable module cannot handle it properly. I could solve the problem by making a range of passive ports in the ftp-server configuration and allow the incoming traffic to them, but then using helper modules doesn't make any sense. I just want to allow the traffic to the listening port and then want the ip_contrack_ftp module to take care of the rest. This is what I do today - but only port 21 seems to be working. Is there a way to do this with a non-standard ftp port?

Any ideas?
Thanks in advance!

it will be lot more easier if you can give us the iptables rules you have used.
iptables -t nat -L
iptables -L

I've not set anything on nat-table.

This is an example of my rules, I may add other stuff, but you can understand the point by reading the rows bellow.

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- localhost anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Note the last rule in the INPUT, (ftp=21). I want to change my listening port to 21001, then I would, of course, replace that rule with --dport 21001 - but it doesn't work then, the contrack_ftp module works only with passive ftp if 21 is used as the listening port. Is there a way to make it work with 21001 for instance, and how im that case?

So, I simply wonder whether there is a way to use iptables ftp-helper modules with an alternative listening port (instead of port 21).

Specify the port you want the module to use when you load it. Example:

Thanks for the reply!
However, it doesn't seem to be working.
Perhaps another module needs a similar option.
ip_conntrack_ftp is not the only one iptables module I'm loading. I'm even loading ip_conntrack_netbios_ns and ip_nat_ftp.

Also, is there any way I could put these options to be automatically loaded (these modules are loaded by IPTABLES_MODULES variable in /etc/sysconfig/iptables_config). I was hoping that something like

options ip_conntrack_ftp ports=21001

in /etc/modprobe.conf would do it, but obviously does not.

Either way, even when manually loaded, ip_conntrack_ftp with ports=21001 option is not enough for proper function of iptables against listening port 21001.

Any more ideas?

Thanks in advance!

Hey,


So as of right now your iptables are allowing traffic on port 22 and port 21. You need to add rules so that it also allow passive ftp traffic (RELATED).

http://www.sns.ias.edu/~jns/wp/2006/...-tracking-ftp/

Those rules should help.