iptables-nat-ftp question

Hey all,

I have enabled ip_conntrack_ftp and ip_nat_ftp modules, i am using
masquerading on my firewall and have forwarding open both ways but cannot
get connected to certain passive FTP hosts.

I have >1024 open (with exceptions for common bad ports) and ports 20,21
open.

When I run ls it hangs -> below is output:

230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 'EPSV': command not understood.
227 Entering Passive Mode (216,37,65,60,12,236)
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls (1214 bytes).

END OUTPUT

Does anyone know the workaround for this in iptables ?

Thanks,


Chris

On Tue, 20 Apr 2004 20:39:07 +0000, Brad Olin wrote:

> On Tue, 20 Apr 2004 13:53:21 -0700, Chris Etzel
> <hellno@idontwantspam.com> wrote:
>
>>Hey all,
>>
>>I have enabled ip_conntrack_ftp and ip_nat_ftp modules, i am using
>>masquerading on my firewall and have forwarding open both ways but cannot
>>get connected to certain passive FTP hosts.
>>
>>I have >1024 open (with exceptions for common bad ports) and ports 20,21
>>open.
>>
>>When I run ls it hangs -> below is output:
>>
>>230 User logged in.
Thank you Brad. You were correct. That particular server uses active mode.

Thanks a bunch.


Chris


>>Remote system type is UNIX.
>>Using binary mode to transfer files.
>>ftp> ls
>>500 'EPSV': command not understood.
>>227 Entering Passive Mode (216,37,65,60,12,236)
>>200 PORT command successful.
>>150 Opening ASCII mode data connection for /bin/ls (1214 bytes).
>>
>>END OUTPUT
>>
>>Does anyone know the workaround for this in iptables ?
>>
>
> With the ip_conntrack_ftp module active you shouldn't need to open port
> 20 yourself (or ports >1024), ip_conntrack_ftp should open the data port
> for you.
>
> My guess is your server requires active transfer mode and your client is
> attempting to use passive tranfer mode. Enter the command 'passive' to
> toggle your tranfer mode prior to the 'ls' command.
>
>
> Brad