[nSLUG] iptables and ftp

Stephen Gregory nslug at kernelpanic.ca
Mon Apr 14 09:41:43 ADT 2008


On Mon, Apr 14, 2008 at 03:38:43AM -0300, Mike Spencer wrote:
> 
> So what am I missing about RELATED?  The manpage explicitly mentions ftp
> as a reason for using RELATED.
> 

Do you have the nf_conntrack_ftp or ip_conntrack_ftp (nf/ip depends on
kernel version) modules loaded?

If you use nat you probably need the nf_nat_ftp or ip_nat_ftp modules.

> 
> (This failure only occurs with command line ftp sessions, not with
> ftp://host.dom/path URLs in my browser. I don't understand that,
> either.)

The browser probably defaults to passive mode ftp. You can enable this
in your command line ftp client with the "passiv" command. Passiv mode
is generally a good idea as it works through firewalls. 

-- 
sg



More information about the nSLUG mailing list