Hi - I have a ftp server running version 2.0.7 of vsftpd on a CentSO 5.2 server using iptables behind a Linksys router.
The setup works for UNIX machines on either side of the Linksys router.
For the Windows machines it only works if they're behind the Linksys router - ftp does NOT work if they're outside the Linksys router.
I'd like to solve two problems:
(1) make ftp work for Windows clients outside the Linksys router
and then ideally, if possible,
(2) have ftp work for both active and passive connections and restrict those connections to use ports between 40000 to 60000
The ports 20,21 and 40000 to 60000 on the Linksys router are open, and vsftp is configured with the following options
pasv_min_port=40000 pasv_max_port=60000 pasv_address=xxx.xxx.xxx.xxx connect_from_port_20=NO
The ftp entry automatically generated the system in /etc/sysconfig/iptables is
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
and to IPTABLES_MODULES entry in /etc/sysconfig/iptabes-config I've added
ip_conntrack_ftp
Enclosed are my iptables and vsftp.conf files (which might not make it to the list.)
Regarding item (2), I would guess I would have to add the following entries:
Active: ---------
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 --sport 40000:60000 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 20 --dport 40000:60000 -j ACCEPT
Passive: ---------- -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 40000:60000 --sport 40000:60000 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 40000:60000 --dport 40000:60000 -j ACCEPT
Adding these entries doesn't noticeably impact the vsftpd, i.e., the connections from the UNIX or Windows behaves identically - I just doubt if they're correct.
Any help would be greatly appreciated!
--- Article. VI. Clause 3 of the constitution of the United States states:
"The Senators and Representatives before mentioned, and the Members of the several State Legislatures, and all executive and judicial Officers, both of the United States and of the several States, shall be bound by Oath or Affirmation, to support this Constitution; but no religious Test shall ever be required as a Qualification to any Office or public Trust under the United States."
On Thursday 22 January 2009 17:28, Agile Aspect wrote:
Regarding item (2), I would guess I would have to add the following entries:
Active:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 --sport 40000:60000 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 20 --dport 40000:60000 -j ACCEPT
All FTP connecting begin with port 21. Port 20 is a DATA connection. ip_conntrack_ftp will track connection needing the Data port open.
Passive:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 40000:60000 --sport 40000:60000 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 40000:60000 --dport 40000:60000 -j ACCEPT
Do you have a rule like this:
-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT
If not you should place this in your rules. This rule eleminates the need to continuesly add rules to allow out going connection for allowed incoming connection.
If you do then you should not need the OUTPUT rules you listed above.
Robert Spangler wrote:
Do you have a rule like this:
-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT
No I don't.
It doesn't work under CentOS 5.2. But it works on my laptop which is running Fedora 9.
If not you should place this in your rules. This rule eleminates the need to continuesly add rules to allow out going connection for allowed incoming connection.
If you do then you should not need the OUTPUT rules you listed above.
Thanks for the reply!
Have you loaded the ftp modules? modprobe ip_conntrack_ftp modprobe ip_nat_ftp
-chaz
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Agile Aspect Sent: Tuesday, January 27, 2009 6:45 PM To: CentOS mailing list Subject: Re: [CentOS] ftp and iptables
Robert Spangler wrote:
Do you have a rule like this:
-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT
No I don't.
It doesn't work under CentOS 5.2. But it works on my laptop which is running Fedora 9.
If not you should place this in your rules. This rule eleminates the need
to
continuesly add rules to allow out going connection for allowed incoming connection.
If you do then you should not need the OUTPUT rules you listed above.
Thanks for the reply!
Chaz Sliger wrote:
Have you loaded the ftp modules? modprobe ip_conntrack_ftp modprobe ip_nat_ftp
-chaz
Yes, they were added in iptables-config.
iptables is working fine.
Thanks.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Agile Aspect Sent: Tuesday, January 27, 2009 6:45 PM To: CentOS mailing list Subject: Re: [CentOS] ftp and iptables
Robert Spangler wrote:
Do you have a rule like this:
-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT
No I don't.
It doesn't work under CentOS 5.2. But it works on my laptop which is running Fedora 9.
If not you should place this in your rules. This rule eleminates the need
to
continuesly add rules to allow out going connection for allowed incoming connection.
If you do then you should not need the OUTPUT rules you listed above.
Thanks for the reply!
On Tuesday 27 January 2009 21:45, Agile Aspect wrote:
Robert Spangler wrote:
Do you have a rule like this:
-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT
No I don't.
It doesn't work under CentOS 5.2. But it works on my laptop which is running Fedora 9.
I don't understand why it doesn't work on your server unless you are not using STATEFUL inspection on your firewall.
Robert Spangler wrote:
On Tuesday 27 January 2009 21:45, Agile Aspect wrote:
Robert Spangler wrote:
Do you have a rule like this:
-A OUTPUT --m state --state RELATED,ESTABLISHED -j ACCEPT
No I don't.
It doesn't work under CentOS 5.2. But it works on my laptop which is running Fedora 9.
I don't understand why it doesn't work on your server unless you are not using STATEFUL inspection on your firewall.
Use /usr/sbin/system-config-network-tui to generate a template iptables file and then add the syntax in question.
It won't load. You'll have to re-write it.
In short, it's syntax sugar.
It doesn't work in CentOS 5.2 but it works on laptop which running Fedora 9.
It's hard to imagine iptables not being stateful if you're using the key words NEW, ESTABLISHED, and RELATED.
-
Agile Aspect -
Chaz Sliger -
Robert Spangler