Hello,

i tried to:

iptables -I INPUT -p tcp --dport 49152:65534 -j ACCEPT

(that port range i have set in my ProFTPd config file, and proftpd restarted

i login successfully to server via ftp, but when i do some command like "ls", it says:

227 Entering Passive Mode (ipaddresshere)
active mode returns "425 Unable to build data connection: Connection timed out"

i also tried to flush iptables and use these rules: http://www.tuxradar.com/answers/80

but still same

Perhaps add the same rule for OUTPUT as well? Depending on what the rest of the firewall does.

From your link the newer iptables syntax might replace:
-m state --state

with:
-m conntrack --ctstate

depending on your distro and age of things.

# iptables-save

can hint at what the actual rules in play are on your system.

ok, i tried that, and now ruleset is:
but same issue, help please?

Then i flushed the rules and tried again and this:

but still dont works. i login ftp, but passive/active, nothing is returned when i do any command.. just timeout. Is iptables kernel ftp module required on a VPS?

thx, i dont think ip_conntrack and ip_conntrack_ftp is compiled into the kernel. this is a VPS. so FTP cant work without these, no workaround?

I assume it works if there is no firewall in use?

You might check tcpdump to see what packets are not making it over. On the server and client and compare them. I've only done ftp over port 20 and 21 the defaults. And I'm more of an app guy than a network one.

The problem is FTP uses two TCP connections - the client makes the initial connection (the command channel)... then the server makes a connection back to the client (the data channel).

Passive mode reverses the order of the establishment of the data channel requiring the client to make a SECOND connection using a port specified by the server through the command channel. This second channel is unique for each client - and makes having a firewall work (for the server) a bit tricky. It has to monitor the command channel to pick up the port number of the data channel, and essentially dynamically create a rule to allow it.

http://www.slacksite.com/other/ftp.html

You can try the rules shown in:

http://unix.stackexchange.com/questi...w-incoming-ftp

Without using passive mode, FTP will not work through a network address translation router.

As you can see from the rules, it opens up the server to a LOT of unused port possibilities.

Which rules on that page you exactly mean? i think i tried already those in the topmost Ansswer on that page.

Why active wont work? how to make it work please?

The one identified as the best answer (the green check marked one)
Active CANNOT work reliably. The problem is that the NAT router blocks the data channel.

Now if the NAT is only one level deep (as in the IP number on the outside of the NAT device is a public IP number, AND the ISP permits) then the NAT can usually be modified to track connection states for ftp. But that means it has to examine every connection, and all the packets associated with the protocol (because of the complication this does, many don't do it). Since the data channel in active mode requires the client to open and listen on a socket for a connection from the FTP server, the NAT device automatically blocks such connections. For any given connection, it doesn't know what the data channel should be. The this is the reason the NAT device has to monitor FTP connections for the transmission of the packet that tells the FTP server what socket to use for the data channel... The NAT device must replace that port with one of its choosing (because there could be two or more FTP sessions, that could use the same port from two (or more) clients). Once that port is identified, then the NAT router can forward the connection actually used to the clients chosen port (which, as I said, may not be the same).

This is a complicated bit of routing... and some routers don't/won't do it.

thx for explanation, as mentioned i already tried that rules you advice and it did not worked. the author of that stackexchange answer advices "modprobe ip_conntrack_ftp" but as i said i think its not enabled, and i asked if its possible and how to do without it.

You can't do it without. The connection tracking is what is needed to associate the data channel with the correct command channel.

1 members found this post helpful.