4 Replies Latest reply: Feb 10, 2013 1:41 AM by Catch~22 RSS

    Adding multiple IPTABLES_MODULES

    975148
      I have a RHEL 5.8 server and I am trying to implement a writable FTP server. I need to add the following module as below,

      IPTABLES_MODULES=”nf_conntrack_ftp nf_nat_ftp”

      But there is already a module like this,

      IPTABLES_MODULES=”ip_conntrack_netbios_ns”

      My query is how to add 2 IPTABLES_MODULES.

      I hope, my question is clear.

      Please revert with the reply to my query.

      Regards
        • 1. Re: Adding multiple IPTABLES_MODULES
          Catch~22
          I have a RHEL 5.8 server and I am trying to implement a writable FTP server.
          You can change /etc/sysconfig/iptables-config

          IPTABLES_MODULES="ip_conntrack_netbios_ns"
          to
          IPTABLES_MODULES="ip_conntrack_netbios_ns ip_nat_ftp ip_conntrack_ftp"

          # modprobe ip_nat_ftp ip_conntrack_ftp
          # lsmod | grep ftp

          Then restart the firewall and check /var/log/messages

          # service iptables restart
          # tail /var/log/messages

          But what are you trying to fix? As far as I know the kernel modules address matters of passive FTP in case your client is behind a NAT interface. FTP is a two way connection. The server requests the IP of the client to connect back to the client for data transfer. In passive FTP mode the client initiates both connections to the server. As far as I know this affects your ability to connect to the FTP server, but not write access to the FTP server as such.
          • 2. Re: Adding multiple IPTABLES_MODULES
            975148
            Thanks
            • 3. Re: Adding multiple IPTABLES_MODULES
              alvaromiranda
              Hi there.

              Take into consideration FTP use 2 ports.. 20 and 21.

              So be sure to allow both in your rules.

              Alvaro.
              • 4. Re: Adding multiple IPTABLES_MODULES
                Catch~22
                Not necessarily. If the FTP server is behind NAT or Firewall, since the OP asked about relevant modules, then it is often configured to use a passive port. The problem with NAT is that the FTP server may not be able to connect back to the private IP reported by the FTP client, which is typical for external access, hence the connection will fail.