Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 573
  • Last Modified:

FTP not working from internal network (ftp_masquerading ???)

I have an internal network ( connected to the web via my Linux Internet Gateway Machine(RedHat 7.1).

I have successfully enable IP_Masq to ensure that people from within the network can surf the net. However they are unable to use FTP. How can I FIX this?

Please note I have attempted to re-compile the kernel but there are absolutely no options for masquerading or ftp. I assume it was built in to the Kernel.

The only modules I have regarding ftp are the following



If these mean any thing to you and is necassary for FTP to work how do I implement them...
  • 6
  • 6
  • 4
  • +6
1 Solution
I presume you are running a firewall of sorts (IPCHAINS/TABLES?):

Try using the FTP clients in 'passive' mode.

MCI_ConsultantsAuthor Commented:
I tried that but the particular site I am trying to connect to is an NT Machine and for some or other reason.

I cannot connect to it using passive mode.
do this: $ find /|grep ip_masq_ftp|grep modules

see if you have ip_masq_ftp.o

if you do, cd to the directory that it's in and type insmod ip_masq_ftp.  then type lsmod to make sure it's loaded.

now try your client's ftp program.  If it doesn't work use passive mode on your clients.
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

MCI_ConsultantsAuthor Commented:
Everywhere I have researched speaks about the module ip_masq_ftp.

I installed EVERYTHING(2.7gigs) for Linux RedHat 7.1.

But there is NO trace of this module.
I have run out of ideas ....
MCI_ConsultantsAuthor Commented:
Sorry, but RedHat 7.1 does not have ANY trace of this module. I have scourged the www for help on this matter but nothing .... I am thinking of going back to version 6.2 because ftp is a vital need for our interanl employees.
Is it just the ONE NT machine you can't ftp to?  Or any external machine?

Don't go backwards... I have FTP working OK with no trouble in RH7.1, so it is an easy fix somewhere.

What firewall rules are you using?  What user are you FTP'ing as? Explain in more detail.

MCI_ConsultantsAuthor Commented:
The problem I has affected me on 6 different ftp sites. (I have not tried more than that).

I used the following firewall rule:-
ipchains -A forward -i eth1 -s -j MASQ

I am ftping in as anonymous.

Further analysis revealed the following:

We only have Windows Clients, so I use the ftp command in my dos_prompt window and found out the following.

I can connect to the the ftp site.
I can run PWD.
I can Change Directory.

However if I do a listing it gives me the following error:-
500 Illegal Port Command

If I try and get a file it tells me :-
425 Can't build data connection: Connection refused.

When using Internet Explorer I get this messages:-
200 : Type set to A
500 Illegal PORT Command

What the ...

I have just tried it using Netscape 4.6 and Netscape 6 and
it works!!!! Damn, perhaps it is a Microsoft problem.

Any ideas on how to solve it.
OK, so FTP _is_ working.  I have seen this port 500 message before.

Try a listing using this:

ftp>ls -ls


ftp>ls -lsa

That _should_ work and get you up and going.

I don't know why that port 500 message comes up.  I did fix it sometime back... I will think hard and get back to you.

OK, it's all coming back to me now :-)

"NOTE: If your system is connected to the Internet through a firewall, the instructions as provided above may not work. This is because the firewall may interfere with the normal operation of the FTP program. If this occurs, you cannot use the MS-DOS FTP program as provided by Microsoft in Windows 95 and 98. You will need to obtain an FTP client that can handle "passive" transfers. Browsers such as Netscape and Internet Explorer can be used in these situations."

So, 'passive' _will_ fix the problem as I said at the beginning, but MSDOS FTP cannot do 'passive'!

Try the ls -ls/ls -lsa anyway... I swear thats how I down it (nothing here to test with).

Netscape like to try passive mode if FTP has problems - MickeySoft products on the other hand seem to refuse to do this...

milkfilk was on the right track...

You need recompile your kernel and enable all masquerading options, which should eventually generate the ip_masq_ftp module, which when installed (via either kerneld or 'insmod ip_masq_ftp.o') makes your internal clients work fine, regardless of whether or not they are using passive mode.  

IMHO, this is the best solution because you don't have to muck around with each and every client config making sure it is set for passive mode...


FTP uses two ports. One for communication between client and server and the other for the transfer of files. My guess is that your ipchains rules are DENYing connections on the ftpdata port ( number 20)

Try a rule like this
ipchains -A input -i eth0 -dport 20 -j ACCEPT

I am assuming that eth0 is the interface that connects you to the Internet
MCI_ConsultantsAuthor Commented:
ls -lsa/ls -la does not work. When I try it I get connection closed by remote host.

There are NO options mentioning masquerading in the 2.4.2-5 kernel. Although I did go through the HOW-TO-IP-Masquerading and compiled the kernel with the options that I could find. (again nothing mentioning masquerading). However it did not work and it also introduced some other problems.

I tried your rule but I can still only FTP Passively.

What really confuses me is that there are no Masquerading options in the Kernel. Everywhere I look they mention the following options which are NOT in the menus for Kernels 2.4.x.

* Network firewalls (CONFIG_FIREWALL)

* IP: firewalling (CONFIG_IP_FIREWALL)IP: firewall packet netlink device (CONFIG_IP_FIREWALL_NETLINK)

* IP: transparent proxy support (CONFIG_IP_TRANSPARENT_PROXY)

* IP: masquerading (CONFIG_IP_MASQUERADE) [Y/n/?]


* IP: masquerading special modules support (CONFIG_IP_MASQUERADE_MOD)



* IP: ip fwmark masq-forwarding support (EXPERIMENTAL) (CONFIG_IP_MASQUERADE_MFW)

* IP: optimize as router not host (CONFIG_IP_ROUTER)

* IP: Allow large windows (not recommended if <16Mb of memory) * (CONFIG_SKB_LARGE)

I have none of these options.
MFCRich is forgetting about the necessary translation that IP masquerading (and specifically the ftp_masq module) performs (a common novice error).  I'm not at all surprised that his suggestion did not work.  To his credit, he is correct about the dual-connection nature of FTP - he just forgot that even if your firewall/router allows inbound data on port 20, it still will have no idea what to do with the data without ftp_masq or something similar (passive mode eliminates the connect-back on port 20, which is why that works).

Also, can your users deal with using a proxy for FTP?  While MickeySoft products may be reluctant to use passive mode, you can certainly tell them to use a proxy (i.e. socks, etc) with no problem.  If so, I'd recommend socks - free, easy to configure, and just about everything supports it...

The 2.4 kernel seems to have a lot of nice features, but is still a bit too immature for my tastes (which explains my lack of familiarity with wrt specific features) - assuming you don't specifically require any of the new functionality of 2.4, might I suggest the latest 2.2 release instead?

In any case, I will explore the 2.4 src a bit more and see what they are calling the ftp masq feature these days, since I can't imagine that they'd have nixed something as nice as the ftp_masq module...  

BTW, where did  you get your 2.4 source?

RH uses xinetd instead of inetd. Have you configured it?
In '/etc/xinetd.d' you should find a file called 'ftp' (I think). Edit it so that the line that says "DISABLED" reads "ENABLED". Hope I recalled this correctly cause I'm not at my Linux box.
MFCRich - a good idea, if the problem was an inability to connect to his own ftp server...

Unfortunately, the problem is that none of the users can connect to arbitrary remote FTP servers without using passive mode.

I think we should wait to hear some feedback from MCI Consultants about his/her luck with the above suggestions (particularly mine <grin>), and proceed from there.


MCI_ConsultantsAuthor Commented:
The orginal site I got my Kernel mods has closed down but I did a bit of surfing and found this address.

What the ... (again!!!)

My Microsoft browser can see this site's contents???
I cannot understand that. (Passive is disabled)
So I tried again but still I cannot see their contents. This problem could be related to how operating systems deal with the FTP Protocol.

I have not tried the proxy idea yet but I will do so, soon!
The following makes active FTP work on my stock 2.4.5 kernel; not sure if the one that came with RH7.1 had the same option, else just upgrade it:

For menuconfig, in the "Networking Options"/"IP: Netfilter Configuration" submenu, _just enable all the options_, but especially CONFIG_IP_NF_FTP.

Then when setting up iptables, use something like...

# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

...before you reach your fallthrough case (DROP I guess) of course. Your internal net device needs to accept all packets of course, but judging from your description, that seems to be the case already.

The "RELATED" state flag is the important one that causes the kernel to allow connections requested by the main FTP connection.

"Inside the netfilter distribution, there are currently modules for ftp: ip_conntrack_ftp.o and ip_nat_ftp.o. If you insmod these into your kernel (or you compile them in permanently), then doing any kind of NAT on ftp connections should work"

Now please reject the above "answer", since it is apparently wrong, and grab (or compile) the aformentioned modules or use proxies, etc...

BTW, this isn't really rocket science - this info comes from the second URL returned by doing an altavista search for:

+"ip_masq_ftp" +2.4 +kernel

Cironian - please post your answers as comments (as the text at the bottom of every page suggests) unless your answer _will_ solve the problem, beyond a shadow of a doubt.  I'd say there are several shadows of doubt here, and your answer was not definitive because of it.  I can forgive this error, though, since your account age is only a few days old.  Your advice on which kernel option to use was helpful, but you made nary a mention of it generating a module or the need to be sure it is inserted (sounds like your system is doing it for you, or you said "Y" to the kernel option rather than "M") - all this info (and more) should be included in a proper "answer".  The fact that you had to guess about the default policy (DROP or ACCEPT) should have been another hint that your info wasn't quite 'answer' material.


I guess I said wrong above when I meant 'rather incomplete'.  

It all equals out to the same thing, since it's all-or-nothing for the questioner (accept or reject the 'answer')

MCI Consultants - not surprising it works on some FTP sites - some servers set passive mode by default, and hence they will always work for you.

That module is on Mandrake distros for sure.  I had it working in production myself and it solved a million and a half FTP problems.
I had this problem and after many attempts decided to change kernel to 2.4.7 and use iptables instead of ipchains, so disabled ipchains and add the followings lines in rc.local

depmod -a
modprobe iptable_nat
insmod ip_nat_ftp
/sbin/iptables -t nat -A POSTROUTING -o eth1 -s -j MASQUERADE

To enable netfilter/iptable go to and look for kernel 2.4.x only, because it's your kernel.

Help help help...

I have a similar problem and don't seem to be able to get it working.
I am using iptables and I have definitely got the module ip_conntrack_ftp installed (And therefore all that it depends on which is basically all the ipfilter stuff!)

As far as I can tell the conntrack ftp module is failing to mangle the ftp connections so that they work in active mode. I am getting "Illegal port command" back from the FTP servers (presumably because my client will have send "PORT" to it and it was never changed by the conntrack ftp module).

Anyone got any ideas? If I was using ipchains I would insmod the ip_masq_ftp module and expect it to work. Since I am now using iptables, I have insmodded ip_conntrack_ftp and I am expecting it to work...... :(

Help? Thanks
Chris Tallon
I am unlocking this question in preparation for cleanup.  I will return in 7 days to finalize this question.  Please leave any recommendations for the final state of this question, I will take all recommendations into consideration.  Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund.  Thanks.

Community Support Moderator @Experts Exchange
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 6
  • 4
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now