Comments on: Linux Passive FTP Not Working Problem And Solution http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/ Every answer asks a more beautiful question. Fri, 10 Feb 2012 19:55:56 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Patricehttp://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-65510 Patrice Sun, 11 Dec 2011 18:47:08 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-65510 Why to open the port 1024??? Passive connection use port 21 and then a port from 1024 to 65545... Why to open the port 1024??? Passive connection use port 21 and then a port from 1024 to 65545…

]]> By: Ryan Griggshttp://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-61819 Ryan Griggs Tue, 23 Aug 2011 19:56:22 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-61819 In addition to the firewall rules, on CentOS I had to edit /etc/sysconfig/iptables-config to tell it to load the correct modules. Add the following to the IPTABLES_MODULES line: "ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp" So your IPTABLES_MODULES line should read: IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp" Restart IPTABLES ('service iptables restart') and you should see it load the conntrack modules. All is good! Ryan In addition to the firewall rules, on CentOS I had to edit /etc/sysconfig/iptables-config to tell it to load the correct modules.

Add the following to the IPTABLES_MODULES line:
“ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp”

So your IPTABLES_MODULES line should read:
IPTABLES_MODULES=”ip_conntrack_netbios_ns ip_conntrack ip_conntrack_ftp”

Restart IPTABLES (‘service iptables restart’) and you should see it load the conntrack modules.

All is good!

Ryan

]]> By: Nitinhttp://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-60479 Nitin Tue, 05 Jul 2011 05:06:40 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-60479 Worked fine. Thanks. Worked fine. Thanks.

]]> By: Nishihttp://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-56162 Nishi Sun, 06 Mar 2011 23:34:56 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-56162 FTP might work great, but what about that rule that says block all else incoming?? I'm now locked out of the server.... FTP might work great, but what about that rule that says block all else incoming?? I’m now locked out of the server….

]]> By: Victor Henriquezhttp://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-49695 Victor Henriquez Thu, 23 Sep 2010 23:03:23 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-49695 Excellent Post...My FTP Works great, thanks.... Excellent Post…My FTP Works great, thanks….

]]> By: Antonio Díaz M.http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-45285 Antonio Díaz M. Wed, 23 Dec 2009 17:06:36 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-45285 but you are opening ports that allow connections to other applications such as P2P, MSN Messenger, etc... but you are opening ports that allow connections to other applications such as P2P, MSN Messenger, etc…

]]> By: kitthttp://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-42924 kitt Fri, 07 Aug 2009 00:29:16 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-42924 Why do you need this "$IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT" if you default accept outgoing packets "$IPT -P OUTPUT ACCEPT" Why do you need this “$IPT -A OUTPUT -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT” if you default accept outgoing packets “$IPT -P OUTPUT ACCEPT”

]]> By: arun kumarhttp://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-42377 arun kumar Sat, 04 Jul 2009 08:13:49 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-42377 hp laserjet printer 1020 not working in linux at local network hp laserjet printer 1020 not working in linux at local network

]]> By: Bart Calixtohttp://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-41007 Bart Calixto Wed, 01 Apr 2009 23:29:43 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-41007 Thanks!, looking for hours for a solution. My problem was fixed right after i typed : modprobe ip_conntrack_ftp What this means / do ? Greetings, Bart. Thanks!, looking for hours for a solution.
My problem was fixed right after i typed : modprobe ip_conntrack_ftp

What this means / do ?

Greetings,
Bart.

]]> By: Dalibor Strakahttp://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-40108 Dalibor Straka Tue, 03 Feb 2009 14:45:28 +0000 http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/#comment-40108 At first glance I thought it is for client not for server ;-) This is very nice article except that my FW didn't work right untill I added RELATED here: $IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT I guess that nf_conntrack_ftp reads the port in payload for port 21 and then the new tcp packet from 12345 -> 54321 has SIN flag, thus is RELATED to the first connection, but in no way is established. At first glance I thought it is for client not for server ;-)

This is very nice article except that my FW didn’t work right untill I added RELATED here:

$IPT -A INPUT -p tcp –sport 1024: –dport 1024: -m state –state ESTABLISHED,RELATED -j ACCEPT

I guess that nf_conntrack_ftp reads the port in payload for port 21 and then the new tcp packet from 12345 -> 54321 has SIN flag, thus is RELATED to the first connection, but in no way is established.

]]>