Sorry if this is a stupid question, but to get outbound active FTP connections through our firewall we need to run the following:
sudo modprobe ip_conntrack_ftpI learned this trick from
In that article it says to persist it I should add
IPTABLES_MODULES="ip_conntrack_ftp"to /etc/sysconfig/iptables-config
But I'm not sure that is right for Ubuntu, should I add ip_conntrack_ftp to the bottom of /etc/modules instead?
Thanks.
2 Answers
Yes, you can add ip_conntrack_ftp to /etc/modules. Be attentive, you don't have to enter the modprobe command, just the name of kernel module!
Please note that if you are using a nonstandard / custom ftp port, you can just add ports=<portnumber> to the end of the line.
For a specific example, HylaFax works using FTP protocol and begins connections using port 4559 as the control port, and then opens passive FTP ports who-knows-where. All you have to do with a custom FTP port of 4559 is sudo vi /etc/modules and then add a new line to the end of the file with ip_conntrack_ftp ports=4559.
Reboot and you should be good to go!
If you have more than one ftp service, you could also do ports=21,4559 for instance.
For this to work, you will also need the corresponding IPTABLES rules:
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4559 -j ACCEPT
