I recently studied the configuration of firewall in Linux and found that FTP is faulty after the firewall is configured. I have never been able to log on with filezilla or CuteFTP.
Listing directories will always fail. However, if passive off is executed under the command line, everything is normal.
The answer is found on the Cu mainly through ip_conntrack_ftp.
Http://linux.chinaunix.net/bbs/viewthread.php? Tid = 812400
Original article:
9. The network access caused by the use of-P input drop is normal, but the FTP connection fails?
According to the method described above, only the ftp port 21 service is enabled. If other services are disabled, it is generally configured to use:
Iptables-P input drop <br/> iptables-A input-M state -- State established-J accept <br/> iptables-A input-p tcp -- dport 21-J accept
In this configuration, it is confirmed that the FTP client can be connected to the FTP host and the welcome login screen is displayed. However, an error will occur when viewing the file directory list and file capturing in the future...
The FTP protocol itself in data channnel can also distinguish between the active mode and passive mode transmission modes.
In passive mode, the protocol is used to connect the FTP client to the FTP server, which is specified to be greater than 1024 port.
.
In this way, the configuration may work normally during FTP transmission, but the passive mode is incorrect, the reason is that the firewall rule configuration of the host does not allow the FTP client to be connected to the port specified by the FTP server.
To solve this problem, in iptables, helper with the name ip_conntrack_ftp can be set
21. The FTP protocol command is used to intercept and set firwewall rules for iptables. Open practices:
Modprobe ip_conntrack_ftp <br/> iptables-P input drop <br/> iptables-A input-M state -- State established, related-J accept <br/> iptables-A input-I lo-J accept <br/> iptables-A input-P TCP -- dport 21-J accept
Among them, the-M state part has another related project, which is the packet in the active state, however, it is because the connection architecture like existing FTP will lead to additional active projects.
However, if the FTP service on the host is not port 21, make the following adjustments:
Code: Modprobe ip_conntrack_ftp ports = 21,30000 <br/> iptables-P input drop <br/> iptables-A input-M state -- State established, related-J accept <br/> iptables-A input-I lo-J accept <br/> iptables-A input-P TCP -- dport 21-J accept <br/> iptables -A input-p tcp -- dport 30000-J accept
That is, the FTP service provided by the host is on port 21 and port 30000 respectively, so that the FTP helper ip_conntrack_ftp can normally provide the FTP client with passive mode access without any problems.