# PASV ftp - I misconfigured my iptables config file

## toralf

I googled around the world and tried a lot, but I cannot fetch files from Gentoo mirrors using passive ftp if this ip tables script is activated: http://bpaste.net/show/174745/

Anybody sees the error ?Last edited by toralf on Sun Feb 02, 2014 4:07 pm; edited 2 times in total

----------

## PaulBredbury

You have:

```
$IPT -t filter -P OUTPUT DROP
```

I would log that, before dropping it  :Wink:   Edit: You are logging it. Anything in the log?

You're probably dropping the 2nd of the 2 outgoing passive FTP requests.

----------

## toralf

The log shows

```
Feb 2 10:59:20  MYFW4_OUT=       wlp3s0 192.168.178.21   209.132.183.64      TCP  40248  54673       DF SYN

Feb 2 10:59:24  MYFW4_OUT=       wlp3s0 192.168.178.21   209.132.183.64      TCP  40248  54673       DF SYN

Feb 2 13:25:38  MYFW4_OUT=       wlp3s0 192.168.178.21   209.132.183.64      TCP  56566  13318       DF SYN

Feb 2 13:25:39  MYFW4_OUT=       wlp3s0 192.168.178.21   209.132.183.64      TCP  56566  13318       DF SYN

```

and this matches this point in time :

```
$ wget ftp://sources.redhat.com/pub/lvm2/LVM2.2.02.105.tgz --directory-prefix=/usr/portage/distfiles/

--2014-02-02 13:25:36--  ftp://sources.redhat.com/pub/lvm2/LVM2.2.02.105.tgz

           => ‘/usr/portage/distfiles/LVM2.2.02.105.tgz.2’

Resolving sources.redhat.com... 209.132.183.64

Connecting to sources.redhat.com|209.132.183.64|:21... connected.

Logging in as anonymous ... Logged in!

==> SYST ... done.    ==> PWD ... done.

==> TYPE I ... done.  ==> CWD (1) /pub/lvm2 ... done.

==> SIZE LVM2.2.02.105.tgz ... 1374752

==> PASV ... 
```

But I did not understand why the rules forbid passive. BTW thx for the link , I tried this http://slacksite.com/other/ftp-appendix2.html from that page, but from the log it seems, that I do block the OUTPUT, so the INPUT chain was already fine before, or ?

----------

## PaulBredbury

See the URL I gave - in passive FTP, there's 2 connections. You're blocking the 2nd connection attempt from the client.

Hopefully just need this (specifying the helper, to make "ESTABLISHED,RELATED" work), based on info:

```
$IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -m helper --helper ftp -p tcp --sport 1024: --dport 1024: -j ACCEPT
```

----------

## toralf

Thx for your help - pointed me to this missing command :

```
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

```

Before I had however to run

```
modprobe nf_conntrack_ftp
```

which let me wonders why b/c all other modules are loaded automatically

----------

