[CentOS] [SOLVED] it was an iptables-config setting, was Re: Vsftpd configuration problem

Tue Apr 2 00:30:24 UTC 2013
Max Pyziur <pyz at brama.com>

On Tue, 2 Apr 2013, Reindl Harald wrote:

> Am 02.04.2013 02:04, schrieb Max Pyziur:
>>> [root at srv-rhsoft:~]$ cat /etc/sysconfig/iptables-config
>>> # Load additional iptables modules (nat helpers)
>>> #   Default: -none-
>>> # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
>>> # are loaded after the firewall rules are applied. Options for the helpers are
>>> # stored in /etc/modprobe.conf.
>>> IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp"
>> So, are you saying this last line is key?
> it is on my fedora machines acting as FTP behind a NAT
>> Because on the CentOS 5 setup I see:
>> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
>> While on the CentOS 6 setup I see:
>> What is the correct/recommended setting?
> there is no "correct/recommended setting"
> if you are behind a NAT you need a different config as if you are
> have a public IP on your machine, that is why configs exists

Not behind a NAT ...

> with passive FTP the server anserwers with port AND ip-address
> for the data-connection (which is a idiotic design but it is how
> it is) and if the client follows this response it fails
> so the way to go is translate the response in whatever
> stateful filter in fornt of the FTP server
> this is called ALG (application layer gateway) and part
> of any relieable stateful packet filter

Adding the following line to /etc/sysconfig/iptables-config "got me home:"

Along with the above dialogue, the following page helped (me):


Max Pyziur
pyz at brama.com