Am Do, den 16.02.2006 schrieb Benjamin Smith um 1:43: > I'm having a heck of a time getting vsftpd to work properly. When Iptables are > OFF, it works fine, and when iptables is on, it dies. When I try ftp from a > command line, here's what the session looks looks like: > > > [root at mylaptop ~]# ftp ftp.server.com > Connected to ftp.server.com. > 220 Welcome to My Company FTP > 530 Please login with USER and PASS. > 530 Please login with USER and PASS. > KERBEROS_V4 rejected as an authentication type > Name (ftp.server.com:root): northwind > 331 Please specify the password. > Password: > 230 Login successful. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls > 227 Entering Passive Mode (66,81,89,182,135,169) > ftp: connect: No route to host > ftp> Once beside the control connection the additional data connection is to be established (for listing dir content) your client configured to use passive FTP sends the PASV command to the server, which then opens a connection from a random high port (here 32877) to a high port on your client host (here 34729 = 135*256+169). > But, what am I doing wrong, here!?!?! Sample from > /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. > ############################################ > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -j LOG > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > ############################################ Your iptables ruleset blocks state NEW connections other than the explicitly accepted - thus above described connection from the server to your client host to port 34729 is blocked. iptables needs a helper to recognize this FTP data connection in passive mode to be related to the already established control connection: ip_conntrack_ftp. > Lastly, here's a typical log rejection notice from /var/log/messages > Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= > MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP > LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 > WINDOW=5840 RES=0x00 SYN URGP=0 > > What am I missing? > > -Ben Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 03:21:02 up 5 days, 12:12, load average: 0.96, 1.03, 0.88 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil URL: <http://lists.centos.org/pipermail/centos/attachments/20060216/d80b7f6a/attachment-0005.sig>