[LARTC] DNAT rule for vsftp (PASSIVE FTP)
Grant Taylor
gtaylor at riverviewtech.net
Fri Oct 5 16:18:23 CEST 2007
On 10/05/07 02:16, Indunil Jayasooriya wrote:
> What is FTP helper module?
As I understand it, the Connection Tracking FTP helper module is
essentially a small module / algorithm that you load in to the
Connecting Tracking structure (via the below modules) to watch what ftp
commands you send out and / or receive so that it can dynamically on the
fly update the connection tracking table to allow the other negotiated
ports that FTP uses through statefull packet inspection. In other words
you should not need to write explicit rules for control and data
connections be it active or passive.
> is it ip_nat_ftp ?
Yes.
> ANYWAY, I have loaded below 2 modules.
>
> /sbin/modprobe -a ip_conntrack_ftp ip_nat_ftp
>
> YOUR COMMENTS.
That should work.
I'll have to double check some things to make sure that you don't need
to do any thing special other than just allow the initial connection and
rely on the FTP connection tracking helper to handle all other connections.
I've never run an FTP server behind a NAT, but I've never had a problem
with the FTP client behind the NAT with the above modules loaded.
Though it is my understanding that the module will take care of both.
Grant. . . .
More information about the LARTC
mailing list