On Sat, 2005-04-02 at 22:33, Justin Zygmont wrote: > On Sat, 2 Apr 2005, Markku Kolkka wrote: > > > Justin Zygmont kirjoitti viestissään (lähetysaika lauantai, 2. > > huhtikuuta 2005 12:23): > >> I know the problem is because a nonexistent iptables rule, i'm > >> just at a loss as to what the missing rules should look like. > >> The only thing that is different in this case is that I need > >> to use port 221 for FTP instead of 21, > > > > That's what breaks everything. The FTP control connection must be > > on server port 21. Using a different port violates RFC 959 and > > ip_conntrack_ftp doesn't watch any other port for FTP traffic. > > are you sure ftp_conntrack is even needed? I thought that's usually used > just for stateful routing through a server, and not to connect to one from > the outside. Also when I shut iptables down, it works, I can get a ftp > listing. > > ______________________________________________________________________ Yes it does. ftp_contrack etc monitors the trafic on port 21 and dynamically opens the higher no (data) ports that the control on port 21 asks for. Turning off iptables just opens all the ports. If you are using vsftp, then you can set the ports used by passive ftp and then open them in iptables, but this is a risk as they can be abused. This may be possible with other ftp servers. Rob
