iptables ftp conntrack using port != 21 - Networking

This is a discussion on iptables ftp conntrack using port != 21 - Networking ; Hi everyone, I want to run the ftp server of my linux box on a non-standard port (say, 20 for data but 666 for handshake). The problem is that obviously the connection tracking module in iptables only works with ports ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: iptables ftp conntrack using port != 21

  1. iptables ftp conntrack using port != 21

    Hi everyone,

    I want to run the ftp server of my linux box on a non-standard port
    (say, 20 for data but 666 for handshake). The problem is that
    obviously the connection tracking module in iptables only works with
    ports 20/21. If I check my logs I see that the client's LIST command
    is recognized as a NEW connection if my ftp server is set to use port
    666.
    Is this a fact or am I just missing some setting?

    Thanks in advance,
    Eric

  2. Re: iptables ftp conntrack using port != 21

    Hello,

    Eric a écrit :
    >
    > I want to run the ftp server of my linux box on a non-standard port
    > (say, 20 for data but 666 for handshake). The problem is that
    > obviously the connection tracking module in iptables only works with
    > ports 20/21.


    AFAIK port 20 is not involved in FTP connection tracking as it does not
    appear in port/passive commands.

    > If I check my logs I see that the client's LIST command
    > is recognized as a NEW connection if my ftp server is set to use port
    > 666.
    > Is this a fact or am I just missing some setting?


    Hint : modinfo ip_conntrack_ftp (or nf_conntrack_ftp on recent kernels)

  3. Re: iptables ftp conntrack using port != 21

    Eric wrote:
    > Hi everyone,
    >
    > I want to run the ftp server of my linux box on a non-standard port
    > (say, 20 for data but 666 for handshake). The problem is that
    > obviously the connection tracking module in iptables only works with
    > ports 20/21. If I check my logs I see that the client's LIST command
    > is recognized as a NEW connection if my ftp server is set to use port
    > 666.
    > Is this a fact or am I just missing some setting?
    >


    you could load ip_conntrack_ftp module with another port in configuration

    modprobe ip_conntrack_ftp ports=21,



    > Thanks in advance,
    > Eric


  4. Re: iptables ftp conntrack using port != 21

    On 13 Mrz., 07:23, Philippe Weill
    wrote:

    > modprobe ip_conntrack_ftp ports=21,


    Ah, thanks, obviously this is exactly what I was looking for.
    Btw, I'm using a 99% monolithic kernel, so what does the boot
    parameter look like? Is it

    ip_conntrack_ftp.ports=

    (I'm using lilo but that shouldn't influence the parameter syntax)?

    Regards, Eric

  5. Re: iptables ftp conntrack using port != 21

    Eric wrote:
    > On 13 Mrz., 07:23, Philippe Weill
    > wrote:
    >
    >> modprobe ip_conntrack_ftp ports=21,

    >
    > Ah, thanks, obviously this is exactly what I was looking for.
    > Btw, I'm using a 99% monolithic kernel, so what does the boot
    > parameter look like? Is it
    >
    > ip_conntrack_ftp.ports=


    perhaps it's a mistake but I think you couldn't if not in module

    >
    > (I'm using lilo but that shouldn't influence the parameter syntax)?
    >
    > Regards, Eric


  6. Re: iptables ftp conntrack using port != 21

    On 13 Mrz., 17:34, Philippe Weill
    wrote:

    > perhaps it's a mistake but I think you couldn't if not in module


    Hmm, I thought this was the standard syntax for in-kernel "modules".
    Isn't anyone out there who knows for sure?

    Regards, Eric

+ Reply to Thread