If you need to communicate from your Ubuntu server to an FTP server that requires passive mode, there is a problem: your firewall likely blocks communication. Using an FTP client manually, you can probably connect with the server, but not list or transfer files!
The reasons for this are straightforward, your system is operating exactly as it is configured to. The explanation requires a little understanding of FTP and firewalls.
Most IP protocols use one port on the local machine and port on the server being connected to. FTP happens to use two ports instead of one. When negotiating a connection, the two computers negotiate which port to send data to. This brings us to an important difference between the two modes:
- In active mode FTP, the client sends the server a PORT command, which tells the server client which port to use for data. The client connects to the server.
- In passive more, the client sends the server a PASV command that asks for a server port to use for data. The server connects with the client.
The tricky bits concern this second port that is negotiated. This port is not a fixed number, it is a dynamically allocated port above 1023. The port number is encoded in a packet as two numbers that need to be multiplied together to get the port number. The firewalls involved need to be smart enough to recognize the FTP negotiation and extract this data from the data, open that specified port and keep it open during the FTP session.
In active mode, this tricky bit is handled by the server, but in passive mode, it is handled by the client’s firewall! Ah ha! So, you need to configure your firewall to be smart about address translation and FTP connections.
Configuring the firewall
You will need to activate a couple of kernel modules for iptables. These will turn on NAT (network address translation) for FTP and FTP connection tracking. As iptables/Netfilter is part of the kernel, we need to use modprobe to add these to the current session and also make changes to /etc/modules so the modules will load next time the server is rebooted.
First, use modprobe to use these two modules now:
sudo modprobe ip_nat_ftp sudo modprobe ip_conntrack_ftp
Then, modify /etc/modules so the modules will load on next reboot:
sudo vi /etc/modules
Add these lines:
With these two modules, you should now be able to use passive mode from an FTP client on your Ubuntu server.