iptables ftp conntrack using port != 21
This is a discussion on iptables ftp conntrack using port != 21 within the Linux Networking forums, part of the Linux Forums category; Hi everyone, I want to run the ftp server of my linux box on a non-standard port (say, 20 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-12-2008
|
|||
|
|||
iptables ftp conntrack using port != 21
Hi everyone,
I want to run the ftp server of my linux box on a non-standard port (say, 20 for data but 666 for handshake). The problem is that obviously the connection tracking module in iptables only works with ports 20/21. If I check my logs I see that the client's LIST command is recognized as a NEW connection if my ftp server is set to use port 666. Is this a fact or am I just missing some setting? Thanks in advance, Eric 
|
|
03-12-2008
|
|||
|
|||
|
Re: iptables ftp conntrack using port != 21
Hello,
Eric a écrit : > > I want to run the ftp server of my linux box on a non-standard port > (say, 20 for data but 666 for handshake). The problem is that > obviously the connection tracking module in iptables only works with > ports 20/21. AFAIK port 20 is not involved in FTP connection tracking as it does not appear in port/passive commands. > If I check my logs I see that the client's LIST command > is recognized as a NEW connection if my ftp server is set to use port > 666. > Is this a fact or am I just missing some setting? Hint : modinfo ip_conntrack_ftp (or nf_conntrack_ftp on recent kernels)
|
|
03-13-2008
|
|||
|
|||
|
Re: iptables ftp conntrack using port != 21
Eric wrote:
> Hi everyone, > > I want to run the ftp server of my linux box on a non-standard port > (say, 20 for data but 666 for handshake). The problem is that > obviously the connection tracking module in iptables only works with > ports 20/21. If I check my logs I see that the client's LIST command > is recognized as a NEW connection if my ftp server is set to use port > 666. > Is this a fact or am I just missing some setting? > you could load ip_conntrack_ftp module with another port in configuration modprobe ip_conntrack_ftp ports=21,<port> > Thanks in advance, > Eric
|
|
03-13-2008
|
|||
|
|||
|
Re: iptables ftp conntrack using port != 21
On 13 Mrz., 07:23, Philippe Weill <Philippe.We...@aero.jussieu.fr>
wrote: > modprobe ip_conntrack_ftp ports=21,<port> Ah, thanks, obviously this is exactly what I was looking for. :) Btw, I'm using a 99% monolithic kernel, so what does the boot parameter look like? Is it ip_conntrack_ftp.ports=<xxx> (I'm using lilo but that shouldn't influence the parameter syntax)? Regards, Eric
|
|
03-13-2008
|
|||
|
|||
|
Re: iptables ftp conntrack using port != 21
Eric wrote:
> On 13 Mrz., 07:23, Philippe Weill <Philippe.We...@aero.jussieu.fr> > wrote: > >> modprobe ip_conntrack_ftp ports=21,<port> > > Ah, thanks, obviously this is exactly what I was looking for. :) > Btw, I'm using a 99% monolithic kernel, so what does the boot > parameter look like? Is it > > ip_conntrack_ftp.ports=<xxx> perhaps it's a mistake but I think you couldn't if not in module > > (I'm using lilo but that shouldn't influence the parameter syntax)? > > Regards, Eric
|
|
03-14-2008
|
|||
|
|||
|
Re: iptables ftp conntrack using port != 21
On 13 Mrz., 17:34, Philippe Weill <Philippe.We...@aero.jussieu.fr>
wrote: > perhaps it's a mistake but I think you couldn't if not in module Hmm, I thought this was the standard syntax for in-kernel "modules". Isn't anyone out there who knows for sure? :) Regards, Eric
|
Linear Mode
