[nSLUG] Re: iptables and ftp

Mike Spencer mspencer at tallships.ca
Tue Apr 15 00:28:51 ADT 2008

me> So what am I missing about [iptables] RELATED?  

Stephen Gregory <nslug at kernelpanic.ca> wrote:

> You can enable this in your command line ftp client with the
> "passiv" command. Passiv mode is generally a good idea as it works
> through firewalls.

Ah! That fixes the problem with updating my own web pages via manual
ftp.  I knew something of the kind was supposed to be possible.  I
have no idea why, in previous sessions of RingTFM I didn't clue to it.

BUT: the last place where I hit a snag was in using cpan to fetch a
Perl module. The cpan script tried to use ftp.  After a longish wait
it announced that it was falling back to lynx.

> Do you have the nf_conntrack_ftp or ip_conntrack_ftp (nf/ip depends on
> kernel version) modules loaded?

Um, well, I dunno. lsmod shows ip_conntrack loaded but not
ip_conntrack_ftp.  Let's try modprobe -n....no complaints.  modprobe -v
followed by lsmod?  Oh!  Okay, it's loaded.  Let's try an ftp
session...tikky tikky tikky spop dit.

Great! That allowed me to connect to my own web page server without -p
or passiv.  Maybe it will work as well for cpan and my other,
occasional uses of ftp.

The iptables man page tells me about conntrack but is marvelously
unclear on just how to make it work.

Thank you very much, sg!

- Mike

Michael Spencer                  Nova Scotia, Canada       .~. 
mspencer at tallships.ca                                     /( )\
http://home.tallships.ca/mspencer/                        ^^-^^

More information about the nSLUG mailing list