vsftpd and iptables

[Christopher K. Johnson]

J. Scott Amort wrote:

>On Tue, 2003-11-11 at 18:54, Christopher K. Johnson wrote:
>  
>
>>On an ftp server which you want clients to be able to access via passive 
>>FTP be
>>sure to insmod ip_conntrack_ftp module, which can be accomplished by 
>>adding the
>>following two lines to /etc/modules.conf
>> 
>># iptables module added for passive ftp access to ftpd on local system
>>above ip_conntrack ip_conntrack_ftp
>>    
>>
>
>Thanks very much - this worked.  However, I would like to know why? 
>This wasn't a problem in RedHat 9 (or at least, it accomplished the same
>thing a different way).  What exactly does this do?  Thanks again.
>  
>
Sorry for the very late reply.  Was doing some clean-up today and 
noticed your message.

The above solution was also necessary on earlier versions of RH, but 
perhaps your iptables rules were more permissive.

BTW Fedora has a new mechanism for loading needed modules for iptables, 
include them in an uncommented IPTABLES_MODULES line in 
/etc/sysconfig/iptables-config
If you need more than one module loaded include each of them space 
delimited inside the double-quotes.

What the "above" directive does is make the ip_conntrack_ftp module be 
loaded any time the ip_conntrack module is loaded.

What the module does is augment the connection tracking in iptables, to 
recognize the directive exchanged on an ftp control connection 
indicating what data connection will be used, and it adds an expected 
entry for it in the connection tracking table.  Thus when the data 
connection is made it is permitted by a rule like this:
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-- 
-----------------------------------------------------------
   "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
   Chris Johnson, RHCE #807000448202021