[Gllug] ftp / iptables

gllug at uncertainty.org.uk gllug at uncertainty.org.uk
Wed Oct 31 12:46:04 UTC 2001 

On Wed, Oct 31, 2001 at 10:13:50AM -0000, Paul Brazier wrote:
> > normally you do get notified if you try to do something without the
> > required mode ... BUT i /think/ that it doesn't quite work that way in
> > this case
> > 
> > AIUI ftp conntrack adds ftp connections to the list of RELATED, if you
> > don't have ftp-contrack inserted there is no error but ftp connections
> > don't appear in the related table.
> > 
> > I could well be wrong about the above ...
> > 
> > anyway `lsmod | grep ftp` should tell you if the module is currently
> > inserted
> 
> You were spot on here, Mandrake had all the iptables modules loaded
> *except* ip_conntrack_ftp plus a few other ftp-related ones, and these
> *aren't* loaded automatically when needed. Now I can list directories
> over ftp through the firewall.

:-)

> 
> Proftpd seemed to stop doing DNS lookups for some reason but I added a
> "ReverseDNSLookup off" to /etc/proftpd.conf just in case.
> "IdentLookups off" didn't seem to work, for some reason the client was
> trying to connect from its port 113 to a high port on the server (I
> thought it should be the other way round). The only way I could stop the
> delay was to set the firewall to allow all connections from source port
> 113 to *any* destination port on the server which isn't ideal.
> 
> I'm using the proftp client and running proftpd through xinetd - not
> sure if this is relevant.
> 

have you tried using a different client ?

hmm.. I don't know much about ident lookups

but it does seem odd to me that the client should connect from 113 to a
hight port ... are you sure it isn't that the server is connecting to 113
and the client tries to relpy (to a high port on the server) but its
replies are blocked ???

if you post the relavent logs that might tell us some more..

-- 

Sean
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 274 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20011031/1437c183/attachment.pgp>

More information about the GLLUG mailing list