Active mode and passive mode of FTP ):
Most TCP services use a single connection. Generally, the client initiates a connection to a slave port of the server and then uses this connection for communication. However, the FTP protocol is different. It uses multiple bidirectional connections.
And the port used is hard to predict. Generally, FTP connections include:
One Control connection
(Control connection)
This connection is used to transmit client commands and server-side responses to commands. It uses port 21 of the server, and the lifetime is the entire FTP session time.
Several data connections
(Data Connection)
These connections are used to transmit files and other data, such as directory lists. These connections are established when data transmission is required. Once data transmission is completed, the ports used each time are not necessarily the same. In addition, the data connection may be initiated by the client or the server.
In the FTP protocol, the control connection uses protocol port 21
Therefore, you can use the isa ip packet filter to ensure the security of this connection. On the contrary, the destination port of the data transmission connection is usually unknown, so it is very difficult to process such port forwarding. F
The TP protocol uses a standard port 21 as the ftp-data port, but this port is only used to connect to the source address of the server, and there is no listening process on this port.
The direction of FTP data connection and control connection is generally the opposite, that is, the server initiates a connection for data transmission to the client. The connection port is determined by the negotiation between the server and the client. This feature of the FTP protocol adds a lot of difficulties to ISA forwarding and firewall and NAT configuration.
In addition, there is another ftp mode called passive mode.
(Passive MoD ). In this mode, the data connection is initiated by the customer program, and the mode discussed just now (we can call it the active mode.
.
Whether the passive mode is used depends on the client program. You can use the passive command in the FTP command line to disable/enable the passive mode.
Configure vsftp in iptables
Problem: After iptables is configured, vsftpd cannot be used. A common phenomenon is that you can log on to the server and the List Directory fails (time-out ).
Analysis:
Active Mode
The client connects to TCP/21, and the server connects to the customer's random port through TCP/20
---- In this case, the status firewall can solve iptables-A input-M state -- state new, related, established-J accept.
Passive Mode
The customer connects to TCP/21, and then connects to the random port of the server through other ports.
The reason is that the server does not open a temporary port to connect the client in passive mode. Therefore, several conditions are required.
1. When the client does not have a firewall, use the active mode to connect.
2. When the server does not have a firewall, use the passive mode.
3. When both parties have firewalls, vsftpd sets the high port range in passive mode. When the Server opens the range, the client can connect in passive mode.
4. Load the ip_conntrack_ftp module so that the server supports Connection Tracking and supports temporary holes. The client can use passive mode.
5. The server uses ip_conntrack_ftp and the client uses ip_conntrack_ftp and ip_nat_ftp. The server supports temporary holes and temporary Nat holes. Both parties can use active or passive modes.
- Configuration instructions for "holes:
- Advantage: ftp configuration is not affected. disadvantage: the client may feel a delay in connection. For the reason, see the implementation principle of ip_conntract.
Add
alias ip_conntrack ip_conntract_ftp ip_nat_ftp
Add/etc/rc. Local
/sbin/modprobe ip_conntract/sbin/modprobe ip_conntrack_ftp/sbin/modprobe ip_nat_ftp
This function is to complete the "Temporary Hole" method mentioned above.
- Limits the configuration of the passive mode connection Port
- Advantage: it does not affect the connection speed. Disadvantage: limits the number of concurrent client connections in passive mode.
Add/etc/vsftpd. conf
pasv_min_port=2222pasv_max_port=2225
Open this port in iptables
-A input-M state -- state
Related, established-J accept
-A input-p tcp-M state -- state new-m
TCP -- dport 21-J accept
-A input-P
TCP -- dport 2222:2225-J accept