Comments on: FTP behind NAT with TLS howto http://www.warden.pl/2007/11/16/ftp-behind-nat-with-tls-howto/#utm_source=feed&utm_medium=feed&utm_campaign=feed "Idiopathic, from the Latin meaning we're idiots cause we can't figure out what's causing it." by dr House Sat, 04 Feb 2012 00:00:09 +0000 hourly 1 http://wordpress.org/?v=3.1.1 By: Radek http://www.warden.pl/2007/11/16/ftp-behind-nat-with-tls-howto/#comment-1058 Radek Sun, 24 Jan 2010 12:58:44 +0000 http://www.warden.pl/wp/wordpress/?p=6#comment-1058 The X:Y notation is perfectly valid, at least with iptables v. 1.4.6. warden:~# iptables -D INPUT -p tcp --destination-port 50000:51000 -m state --state NEW -j ACCEPT Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:50000:51000 state NEW The X:Y notation is perfectly valid, at least with iptables v. 1.4.6.

warden:~# iptables -D INPUT -p tcp –destination-port 50000:51000 -m state –state NEW -j ACCEPT

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:50000:51000 state NEW

]]> By: AAAle http://www.warden.pl/2007/11/16/ftp-behind-nat-with-tls-howto/#comment-623 AAAle Thu, 02 Apr 2009 20:49:01 +0000 http://www.warden.pl/wp/wordpress/?p=6#comment-623 Thanks a lot for this post. It really solved my problem!!! Thanks a lot for this post.
It really solved my problem!!!

]]> By: Radek http://www.warden.pl/2007/11/16/ftp-behind-nat-with-tls-howto/#comment-539 Radek Tue, 10 Feb 2009 16:14:44 +0000 http://www.warden.pl/wp/wordpress/?p=6#comment-539 Hi John, Nope, it is perfectly valid. You mix port specified by commas with a portrange specified with x:y notation. man iptables look for port range. Hi John,

Nope, it is perfectly valid. You mix port specified by commas with a portrange specified with x:y notation.
man iptables
look for port range.

]]> By: John Lee http://www.warden.pl/2007/11/16/ftp-behind-nat-with-tls-howto/#comment-538 John Lee Tue, 10 Feb 2009 15:59:44 +0000 http://www.warden.pl/wp/wordpress/?p=6#comment-538 I got an error when using 50000:51000 - I don't think : is valid here and according to the iptables man page only 15 ports can be specified with multiport. Also I had to add -- to your second state option. Here's the rule I ended up using # Allow ftp passive port connections inbound (as I'm using SSL now for FTP Control sessions ip_conntrack_ftp can't see anything) iptables -A INPUT -p tcp -i eth0 -m state --state NEW -j ACCEPT -m multiport --dports 51000,51001,51002,51003,51004,51005 I put these entries in my vsftpd.conf pasv_min_port=51000 pasv_max_port=51005 Thanks for the info - it helped. I got an error when using 50000:51000 – I don’t think : is valid here and according to the iptables man page only 15 ports can be specified with multiport. Also I had to add — to your second state option.

Here’s the rule I ended up using

# Allow ftp passive port connections inbound (as I’m using SSL now for FTP Control sessions ip_conntrack_ftp can’t see anything)
iptables -A INPUT -p tcp -i eth0 -m state –state NEW -j ACCEPT -m multiport –dports 51000,51001,51002,51003,51004,51005

I put these entries in my vsftpd.conf
pasv_min_port=51000
pasv_max_port=51005

Thanks for the info – it helped.

]]>