Iptables creates ftp problem

I've had some ftp-problems with my Linux-box (fedora core 3) when
connecting to a Windows ftp server at my isp which requires active
mode. The ftp session freezez after loging when I try to do e.g. a LIST
command.
I have had some problems identifying the source of the error, but last
night I shut off the local firewall by using "iptables stop" command.
After this I could ftp without problems.

My Linux-box is behind a router with firewall. The router is doing local
DHCP. Maybe this could be the source of my problem? I have another
Windows XP box on the same LAN, and it can ftp to the same server
without problems (both pc's are set to active mode so this is not the
problem).
So there must be some problems with my iptables settings. Any experts
out there that can shed some lights on the possible problem? See below.

===== "Iptables -L" as root ==============
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited

===============================
Borge

In article <fbTvd.57$IW4.1304@news2.e.nsc.no>,
B H <check4junk@gmail.com> wrote:
:I've had some ftp-problems with my Linux-box (fedora core 3) when
:connecting to a Windows ftp server at my isp which requires active
:mode. The ftp session freezez after loging when I try to do e.g. a LIST
:command.
:I have had some problems identifying the source of the error, but last
:night I shut off the local firewall by using "iptables stop" command.
:After this I could ftp without problems.
:
:My Linux-box is behind a router with firewall. The router is doing local
:DHCP. Maybe this could be the source of my problem? I have another
:Windows XP box on the same LAN, and it can ftp to the same server
:without problems (both pc's are set to active mode so this is not the
:problem).
:So there must be some problems with my iptables settings. Any experts
:out there that can shed some lights on the possible problem? See below.
[SNIPPED]

FTP is a complex protocol that involves opening a separate connection
for the data transfer. An FTP client running in active mode instructs
the server to open a data connection back to a port number selected by
the client. If you're not running a connection tracking module that
knows how to peek inside the FTP control packets and identify that port,
the server's connection attempt will be rejected by your firewall.

Your options are:

a) tell your FTP client to use passive mode, which causes the
client, not the server, to open the data connection,

or b) load the kernel's ip_conntrack_ftp module so that the server's
data connection can be recognized as RELATED.

I highly recommend that you take a look at Oskar Andreasson's excellent
_Iptables_Tutorial_, which is available in several forms from

http://iptables-tutorial.frozentux.net/

--
Bob Nichols AT comcast.net I am "rnichols42"

"Robert Nichols" <SEE_SIGNATURE@localhost.localdomain.invalid> wrote in
message news:cppfaf$oso$1@omega-3a.right.here...
> Your options are:
>
> a) tell your FTP client to use passive mode, which causes the
> client, not the server, to open the data connection,

In my case this is not an option since I only need access to one
particular ftp-server, and the one in question requires active mode.

> or b) load the kernel's ip_conntrack_ftp module so that the server's
> data connection can be recognized as RELATED.

I did not understand this, but hope that the _Iptables_Tutorial_ mentioned
below might answer this.

> I highly recommend that you take a look at Oskar Andreasson's excellent
> _Iptables_Tutorial_, which is available in several forms from
>
> http://iptables-tutorial.frozentux.net/
>

Thanks!

Borge

On Wed, 15 Dec 2004 10:09:31 +0100, B H wrote:

> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any

Your very first rule here (ACCEPT all -- anywhere anywhere) seems to make
all succeeding rules irrelevant since ACCEPT identifies a terminal rule.

Please post your rules without editing.

Cheers!

"B H" <check4junk@gmail.com> said:
>I've had some ftp-problems with my Linux-box (fedora core 3) when
>connecting to a Windows ftp server at my isp which requires active
>mode. The ftp session freezez after loging when I try to do e.g. a LIST
>command.

You got the correct answer already - namely that you'll need to load
the ip_conntrack_ftp module and allow RELATED inbound traffic.
Or alternatively use passive ftp (how to do this depends on your
ftp client program).

>===== "Iptables -L" as root ==============

Sorry, "iptables -L" is leaving out some of the needed information
(which pretty badly corrupts some of the rules). Use "iptables -vL"
instead.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

In article <6pXvd.98$Sl3.1807@news4.e.nsc.no>,
B H <check4junk@gmail.com> wrote:
:
:"Robert Nichols" <SEE_SIGNATURE@localhost.localdomain.invalid> wrote in
:message news:cppfaf$oso$1@omega-3a.right.here...
:> Your options are:
:>
:> a) tell your FTP client to use passive mode, which causes the
:> client, not the server, to open the data connection,
:
:In my case this is not an option since I only need access to one
:particular ftp-server, and the one in question requires active mode.
:
:> or b) load the kernel's ip_conntrack_ftp module so that the server's
:> data connection can be recognized as RELATED.
:
:I did not understand this, but hope that the _Iptables_Tutorial_ mentioned
:below might answer this.
:
:> I highly recommend that you take a look at Oskar Andreasson's excellent
:> _Iptables_Tutorial_, which is available in several forms from
:>
:> http://iptables-tutorial.frozentux.net/

The magic incantation needed is to issue the following command (as root):

modprobe ip_conntrack_ftp

You can add an "install" line in your /etc/modprobe.conf (assuming your
system uses that) to make that happen automatically when the system
boots. See `man modprobe.conf` for details.

--
Bob Nichols AT comcast.net I am "rnichols42"