[CentOS] [SOLVED] it was an iptables-config setting, was Re: Vsftpd configuration problem

Tue Apr 2 23:37:33 UTC 2013
SilverTip257 <silvertip257 at gmail.com>

On Mon, Apr 1, 2013 at 8:30 PM, Max Pyziur <pyz at brama.com> wrote:

> On Tue, 2 Apr 2013, Reindl Harald wrote:
>
> >
> >
> > Am 02.04.2013 02:04, schrieb Max Pyziur:
> >>> [root at srv-rhsoft:~]$ cat /etc/sysconfig/iptables-config
> >>> # Load additional iptables modules (nat helpers)
> >>> #   Default: -none-
> >>> # Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'),
> which
> >>> # are loaded after the firewall rules are applied. Options for the
> helpers are
> >>> # stored in /etc/modprobe.conf.
> >>> IPTABLES_MODULES="nf_conntrack_ftp nf_nat_ftp"
> >>
> >> So, are you saying this last line is key?
> >
> > it is on my fedora machines acting as FTP behind a NAT
> >
> >> Because on the CentOS 5 setup I see:
> >> IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"
> >>
> >> While on the CentOS 6 setup I see:
> >> IPTABLES_MODULES=""
> >>
> >> What is the correct/recommended setting?
> >
> > there is no "correct/recommended setting"
> >
> > if you are behind a NAT you need a different config as if you are
> > have a public IP on your machine, that is why configs exists
>
> Not behind a NAT ...
>
> > with passive FTP the server anserwers with port AND ip-address
> > for the data-connection (which is a idiotic design but it is how
> > it is) and if the client follows this response it fails
> >
> > so the way to go is translate the response in whatever
> > stateful filter in fornt of the FTP server
> >
> > this is called ALG (application layer gateway) and part
> > of any relieable stateful packet filter
>
> Adding the following line to /etc/sysconfig/iptables-config "got me home:"
> IPTABLES_MODULES="ip_conntrack_ftp"
>

Great.

Kindly do not change the subject of your messages.
It screws up thread grouping in many mail clients and confuses people.
 Plus if we keep things together someone having the same problem in the
future might be able to find the solution without asking the same question
again.  Thanks. :)


>
> Along with the above dialogue, the following page helped (me):
>
> http://www.linuxquestions.org/questions/linux-networking-3/iptables-configuration-for-passive-ftp-connection-633774/
>
> Thanks.
>
> Max Pyziur
> pyz at brama.com
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
---~~.~~---
Mike
//  SilverTip257  //