Discussion:
Passive FTP problem with a change of IP address
Frédéric Massot
2013-11-15 12:03:19 UTC
Permalink
Hi,

I have a firewall with iptables rules (kernel 3.10), until now I have
always been able to connect to FTP server in passive or active mode.

Here are the rules I use:

iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p tcp -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE
-s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j
ACCEPT


I have a problem with the FTP server of one hoster. I connect well, but
the data do not go into passive mode.

I looked at the packets that pass through the firewall with iptraf and I
noticed that the ftp-data connection that was on a different IP address.

Connect to the FTP server (yy.yy.10.2) :
192.168.11.66:59577 --> yy.yy.10.2:21

ftp-data transmission on another IP address (yy.yy.10.10) :
192.168.11.66:32777 --> yy.yy.10.10:30527

ftp-data transmission on the other IP address is blocked by my firewall,
it is not considered as RELATED.


- Is it lack any thing in my rules?

- Does the nf_conntrack_ftp module take care of the IP address change?


Regards.
--
==============================================
| FRÉDÉRIC MASSOT |
| http://www.juliana-multimedia.com |
| mailto:***@juliana-multimedia.com |
| +33.(0)2.97.54.77.94 +33.(0)6.67.19.95.69 |
===========================Debian=GNU/Linux===
--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@juliana-multimedia.com
Pascal Hambourg
2013-11-16 12:50:55 UTC
Permalink
Hello,
Post by Frédéric Massot
Hi,
I have a firewall with iptables rules (kernel 3.10), until now I have
always been able to connect to FTP server in passive or active mode.
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE
-s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j
ACCEPT
I have a problem with the FTP server of one hoster. I connect well, but
the data do not go into passive mode.
I looked at the packets that pass through the firewall with iptraf and I
noticed that the ftp-data connection that was on a different IP address.
192.168.11.66:59577 --> yy.yy.10.2:21
192.168.11.66:32777 --> yy.yy.10.10:30527
ftp-data transmission on the other IP address is blocked by my firewall,
it is not considered as RELATED.
By default the FTP connection tracking module nf_conntrack_ftp checks
that the advertised address matches the source address. You may try to
add the option loose=1 when loading the module.
Or you could set your FTP client to use extended passive mode (EPSV),
which does not advertise a passive address.
--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org
Frédéric Massot
2013-11-18 13:50:54 UTC
Permalink
Post by Pascal Hambourg
Hello,
Post by Frédéric Massot
Hi,
I have a firewall with iptables rules (kernel 3.10), until now I have
always been able to connect to FTP server in passive or active mode.
iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp -i $INTERNAL_INTERFACE -o $EXTERNAL_INTERFACE
-s $INTERNAL_LAN --sport $UNPRIVPORTS --dport 21 -m state --state NEW -j
ACCEPT
I have a problem with the FTP server of one hoster. I connect well, but
the data do not go into passive mode.
I looked at the packets that pass through the firewall with iptraf and I
noticed that the ftp-data connection that was on a different IP address.
192.168.11.66:59577 --> yy.yy.10.2:21
192.168.11.66:32777 --> yy.yy.10.10:30527
ftp-data transmission on the other IP address is blocked by my firewall,
it is not considered as RELATED.
By default the FTP connection tracking module nf_conntrack_ftp checks
that the advertised address matches the source address. You may try to
add the option loose=1 when loading the module.
Or you could set your FTP client to use extended passive mode (EPSV),
which does not advertise a passive address.
Thank you for the help.

The "loose = 1" option works well, I am able to connect and list files.

I have not found EPSV setting in filezilla or in the ftp command line
(netkit-ftp).
--
==============================================
| FRÉDÉRIC MASSOT |
| http://www.juliana-multimedia.com |
| mailto:***@juliana-multimedia.com |
| +33.(0)2.97.54.77.94 +33.(0)6.67.19.95.69 |
===========================Debian=GNU/Linux===
--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@juliana-multimedia.com
Pascal Hambourg
2013-11-19 23:09:26 UTC
Permalink
Post by Frédéric Massot
I have not found EPSV setting in filezilla or in the ftp command line
(netkit-ftp).
As an alternative to netkit-ftp, I use tnftp which supports extended
passive and active modes. However the server software must also support
them.
--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org
Loading...