Re: [TriLUG] Curious VSFTP issue

Thu, 08 Dec 2005 09:13:09 -0800
I don't claim to be an iptables expert, but I had to deal with this issue not too long ago. 


You have to tell iptables to let related and established connections 
through.  Joe already mentioned using ip_conntrack_ftp to keep track of 
ftp connections related to existing port 21 sessions, but to reiterate, 
add the following to /etc/sysconfig/iptables-config (in RHEL 3.0):


IPTABLES_MODULES="ip_conntrack_ftp"

...then make sure you have this iptables rule:

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


I believe you could tighten things up by adding port 21 as the 
destination above.  When you restart iptables, it should tell you it's 
loading the ip_conntrack_ftp module and let passive ftp through properly.


-Matt

Matt Pusateri wrote:

On a related note, I am not a IP tables guru :(  What rules do I have
to add to let passive FTP in.  Do I just have to allow what ever high
port range I have specifired in my ftp config?

Matt P.

On Wed, December 7, 2005 5:32 pm, Dave Sorenson wrote:


I'd agree except for the observation it was still not working when I
turned off the firewall entirely to make sure it was not a firewall
problem.

Thanks for the thought though!

Dave

Joseph Mack NA3T wrote:


On Wed, 7 Dec 2005, Dave Sorenson wrote:



directory listing. I've tried both passive and active modes
with
multiple FTP clients, scoured the vsftpd.conf, firewall is open
on 20
and 21 (I even tried disabling the firewall briefly to make
sure
that
was not the problem) but no luck. anyone ever see this before?


VSFTP in active mode calls from a high (>1024) port rather than port
20. This is to allow it to run without root privileges. watch it
with
netcat



Sounds like passive FTP not getting through the firewall.  Try
doing a
'modprobe
ip_conntrack_ftp' on the server, or seeing if you can force your
client to
use
active mode only.


iptables "RELATED" knows about the calling port

Joe



--
TriLUG mailing list        :
http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/






--
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/






















					Reply via email to