View Full Version : [SOLVED] ftp and iptables
10th December 2010, 12:43 PM
I installed vsftpd on a Fedora 14 box.
In the IPTABLES I allowed port 20 and 21
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
When the iptables are running I can not get the mapping list in my ftp client, so I can't connect. When I disable iptables everything works fine.
So I guess my iptables configuration is not complete. However I have no idea what is missing. :confused:
Any help would be appreciated.
10th December 2010, 03:37 PM
Established rules would also be needed. You would also need connection tracking, I suspect. I'd suggest you look at using passive ftp only. Active ftp is a pain with a firewall. Google for iptables ftp passive. There are many examples of iptables rules to follow.
With passive, you tell your FTP server a range of ports you want it to use, and then open them like you open 21. 20 is outbound with active FTP, so input is not relevant. With passive FTP, the data connection is initiated by the remote client at a port specified by your FTP server from the range you've opened.
14th December 2010, 02:31 PM
I solved this by adding the ip_conntrack_ftp module on boot.
Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file:
13th January 2011, 03:16 AM
If you want to allow a certain range for ftp to work with iptables rules this is what you need.
Plus, don't forget to use chcon to set the SELinux context.
RH-Firewall-1-INPUT -s 199.x.xxx.0/255.255.240.0 -d 199.2.x.xx -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT
If you open up vsftp to the world, you will have bot(s) running against your server or a constant IP polling it.
I would fix vsftp (user_list) only to allow the user(s) with accounts and you will have to add a line in vsftpd.conf
anonymous_enable=NO (by default vsftpd allows anonymous access
(fix the logging) with compression
some other stuff like fix it to time out if facing the public web.
It is always best to deny then allow.
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.