PASV mode for Iptables and FTP

Linux inside the firewall iptables generally is the port open, for the FTP protocol in the PASV (passive) mode, there are 2 connections, this second connection seems to be with the first 21 port is not related, 21 port is connected to the communication control, the second connection is the data communication, for example, This is why you cannot see the list when login is in. This second connected port is dynamic and cannot be configured with Iptables. If you use the configuration of the FTP service software, forcing the data port to be fixed, and then adding it in the iptables, it becomes very low-energy. We know that the smart Firewall is capable of tracking this dynamic port. Will iptables be smarter?

The passive mode in the FTP protocol (slightly written as PASV passive mode) and the difference between active mode.

The first step is to connect the client to the server, which typically uses port 21, which is used to transmit control information. User name and password authentication. This step is the same both active and passive.

Second, Active mode: Initiate data communication request from server side to client, to source port 20, destination port is random. In this case, the server side of the firewall configuration to the need for smart correspondence, but the client is troublesome, especially after the client in the case of NAT, often can not be successfully connected. This approach has largely been eliminated, but Microsoft's FTP command still uses active mode, fortunately not many.

Passive mode: After authentication, you may use the PWD command to display your location, which is still done using control port 21, but when a folder list is required, because this amount of data is larger, it is transmitted over the data port. The client then issues a PASV command that tells the server to use the passive mode and a string of numbers, such as: (172,26,136,8,126,17), the preceding 4 paragraphs, 172.26.136.8, the IP address of the server, The following 126 and 17 are data dynamically connected ports, the operation method is 126*256+17=32273.

In this way, as long as you master this rule, the dynamic opening of the firewall port is not difficult.

To monitor the work of the PASV command, Iptables cannot complete and the component must be loaded.

Lsmod | grep FTP

To see if it has been loaded, is generally not getting through, certainly not loaded.

There are a lot of places very general loading

Modprobe ip_nat_ftp

This is not accurate. can be, but loaded more, in fact, only need to load nf_conntrack_ftp, you can.

You can manually load

Modprobe nf_conntrack_ftp

But restarting the server is gone, which can be cumbersome for maintainers. Some people say that with the automatic execution of orders, so it fell turned out. Because the iptables itself has a loaded project.

Edit/etc/sysconfig/iptables-config

Iptables_modules= "Nf_conntrack_ftp"

The default is iptables_modules= "" and the content is empty.

The most easy to ignore and the key is finished, the following is of course to write iptables filter entries.

Iptables-a input-m State--state new-p TCP--dport 21-j ACCEPT

It is so simple, to append must be in the last bar to prohibit all the front oh. So it's better to show the list number

Iptables-l-n-v--line-numbers

and then use

Iptables-i INPUT 5-m State--state new-p TCP--dport 21-j ACCEPT

In front of the last line.

And so on, a lot of places are definitely going to append

Iptables-a input-m state–state established,related-j ACCEPT

, in fact, it is not necessary, unless you delete all the entries, the general default is the first rule

1 ACCEPT all – anywhere anywhere state related,established

The key is related, the relationship, which is the dynamic port that is monitored from the ip_conntrack_ftp. Established is the ACK in the TCP3 handshake and the acknowledgment of the SYN bit, and related is okay.

This example is tested in Linux kernel2.6.32-573.7.1.el6.x86_64 and is also centos6.7

This article from "Genius without that 1% is absolutely impossible" blog, please be sure to keep this source http://xushen.blog.51cto.com/1673219/1707330

PASV mode for Iptables and FTP