View Full Version : [SOLVED] ftp and iptables
Obould
10th December 2010, 12:43 PM
Hello,
I installed vsftpd on a Fedora 14 box.
In the IPTABLES I allowed port 20 and 21
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
When the iptables are running I can not get the mapping list in my ftp client, so I can't connect. When I disable iptables everything works fine.
So I guess my iptables configuration is not complete. However I have no idea what is missing. :confused:
Any help would be appreciated.
Best regards,
Obould.
William Haller
10th December 2010, 03:37 PM
Established rules would also be needed. You would also need connection tracking, I suspect. I'd suggest you look at using passive ftp only. Active ftp is a pain with a firewall. Google for iptables ftp passive. There are many examples of iptables rules to follow.
With passive, you tell your FTP server a range of ports you want it to use, and then open them like you open 21. 20 is outbound with active FTP, so input is not relevant. With passive FTP, the data connection is initiated by the remote client at a port specified by your FTP server from the range you've opened.
Obould
14th December 2010, 02:31 PM
Hi,
I solved this by adding the ip_conntrack_ftp module on boot.
Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file:
IPTABLES_MODULES="ip_conntrack_ftp"
fed05
13th January 2011, 03:16 AM
If you want to allow a certain range for ftp to work with iptables rules this is what you need.
Plus, don't forget to use chcon to set the SELinux context.
RH-Firewall-1-INPUT -s 199.x.xxx.0/255.255.240.0 -d 199.2.x.xx -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW -j ACCEPT
If you open up vsftp to the world, you will have bot(s) running against your server or a constant IP polling it.
I would fix vsftp (user_list) only to allow the user(s) with accounts and you will have to add a line in vsftpd.conf
BIGGIE
anonymous_enable=NO (by default vsftpd allows anonymous access
chroot_local_user=YES
banner_file=/etc/vsftpd/ftp.msg
idle_session_timeout=600
data_connection_timeout=120
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
/etc/logrotate.d/vsftpd
xferlog_file=/var/log/xfer.log
(fix the logging) with compression
some other stuff like fix it to time out if facing the public web.
It is always best to deny then allow.
:)
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.
