[CentOS] FTP Server and IPTables?

Thu Feb 16 00:43:14 UTC 2006
Benjamin Smith <lists at benjamindsmith.com>

I'm having a heck of a time getting vsftpd to work properly. When Iptables are 
OFF, it works fine, and when iptables is on, it dies. When I try ftp from a 
command line, here's what the session looks looks like: 


[root at mylaptop ~]# ftp ftp.server.com
Connected to ftp.server.com.
220 Welcome to My Company FTP
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (ftp.server.com:root): northwind
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (66,81,89,182,135,169)
ftp: connect: No route to host
ftp> 

But, what am I doing wrong, here!?!?! Sample from 
/etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. 
############################################
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -j LOG
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
############################################

Lastly, here's a typical log rejection notice from /var/log/messages 
Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= 
MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP 
LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 
WINDOW=5840 RES=0x00 SYN URGP=0

What am I missing? 

-Ben 
-- 
"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978