J. Scott Amort wrote:
On Tue, 2003-11-11 at 18:54, Christopher K. Johnson wrote:Sorry for the very late reply. Was doing some clean-up today and noticed your message.
On an ftp server which you want clients to be able to access via passive FTP be
sure to insmod ip_conntrack_ftp module, which can be accomplished by adding the
following two lines to /etc/modules.conf
# iptables module added for passive ftp access to ftpd on local system
above ip_conntrack ip_conntrack_ftp
Thanks very much - this worked. However, I would like to know why? This wasn't a problem in RedHat 9 (or at least, it accomplished the same
thing a different way). What exactly does this do? Thanks again.
The above solution was also necessary on earlier versions of RH, but perhaps your iptables rules were more permissive.
BTW Fedora has a new mechanism for loading needed modules for iptables, include them in an uncommented IPTABLES_MODULES line in /etc/sysconfig/iptables-config
If you need more than one module loaded include each of them space delimited inside the double-quotes.
What the "above" directive does is make the ip_conntrack_ftp module be loaded any time the ip_conntrack module is loaded.
What the module does is augment the connection tracking in iptables, to recognize the directive exchanged on an ftp control connection indicating what data connection will be used, and it adds an expected entry for it in the connection tracking table. Thus when the data connection is made it is permitted by a rule like this:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-- ----------------------------------------------------------- "Spend less! Do more! Go Open Source..." -- Dirigo.net Chris Johnson, RHCE #807000448202021