# [solved] allow passive ftp as a client with ip-tables

## toralf

Grr, 

```
wget --passive-ftp ftp://mirrors.dotsrc.org/kde/stable/4.13.3/src/kwalletmanager-4.13.3.tar.xz
```

doesn't work due to my restrictive firewall rules http://bpaste.net/show/475272/ -but all examples I read till now to allow passive ftp are either for servers and/or do not work hre (current 3.15 kernel) - any hints/help is appreciated.Last edited by toralf on Sat Jul 19, 2014 9:22 am; edited 1 time in total

----------

## skaloo

From a client point-of-view, passive FTP requires opening 2 different connections to the FTP server (that's output, not input), one to the normal FTP port (21) the other one to a randomly opened port on the server (>1023) that you can't know in advance (unless you control the server) (this 2nd port is sent to the client in the FTP protocol and is 'allocated' per client when initiating the passive mode). Those are only OUTPUTS, and I see your rules accept ESTABLISHED so no need to add anything in INPUT. What you need is to allow both outputs. Something like that should work:

iptables -A OUTPUT -p tcp --dport 21 -d <server_ip> -j ACCEPT

iptables -A OUTPUT -p tcp --dport 1024:65536 -d <server_ip> -j ACCEPT

Obviously if you want to connect to many FTP servers that may become a problem in terms of number of rules to add, and omitting the server IP would simply open almost all OUTPUTs which is obviously not what you want, though that points out why most people don't bother too much with OUTPUT filtering :p

Hope that helped.

PS: wikipedia and other sources have decent informations about protocols, you'd have found how passive FTP works there.

----------

## toralf

Hhm, the server ip address I do not know (to much) and yes, I do not want to open too much output ports, therefore I hoped to have with the help of ip_conntrack_ftp module a somehow "smart" solution.

Well - ok, I've to look around which solution I'd like to have.

----------

## khayyam

toralf ...

cutting and pasting this from an old script for ingress/egress filtering, it should provide some idea of whats required. I wrote this some time ago, and so before '--state' became '--ctstate' so you will need to adjust this.

Also, this might be of interest. 

```
iface="eth0"

unprivports="1024:65535"

/sbin/modprobe ip_conntrack_ftp ports=20,21,8021 fxp=1 2>&1

# Allow ftp outbound.

iptables -A INPUT  -i $iface -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $iface -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

# ftp connection tracking

# active ftp

iptables -A INPUT  -i $iface -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o $iface -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

# passive ftp

iptables -A INPUT  -i $iface -p tcp --sport $unprivports --dport $unprivports \

   -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $iface -p tcp --sport $unprivports --dport $unprivports \

   -m state --state ESTABLISHED,RELATED -j ACCEPT
```

HTH & best ... khay

----------

## skaloo

Yeah, it is possible that using the conntrack_ftp module helps identifying the data connections for a client connection too (sorry don't have time to check on that today), the RELATED state should suffice then, and you already have the rules for it in OUTPUT and INPUT, so it probably is only about loading the module, possibly with the right options, as you can see in khayyam's script above.

Note: your script uses some old syntax, you might want to check on the proper new one also, unless your linux version is actualy old (name of the module, possibly different support of old/new syntax, ...)

----------

## toralf

Thx for your hints, what eventually helped, was this :

```
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
```

pfff...

----------

