FedoraForum.org

FedoraForum.org (http://forums.fedoraforum.org/index.php)
-   Security and Privacy (http://forums.fedoraforum.org/forumdisplay.php?f=44)
-   -   what's different between edit iptables and system-config-firewall (http://forums.fedoraforum.org/showthread.php?t=276904)

Mainsun 26th February 2012 03:37 AM

what's different between edit iptables and system-config-firewall
 
I am going to open port 21 for my anonymous ftp in vsftpd.
I use default setting for anonymous to connect /var/ftp/pub in vsftpd.conf and start vsftpd successfully.
I try to edit /etc/sysconfig/iptables and append a line

-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

to open port 21 for ftp.
I use filezilla to test from my win7, it can connect "passive mode" to my fedora but fail with errors:

Error: Connection timed out
Error: Failed to retrieve directory listing

To solve it, i have to use system-config-firewall to open port 21, I have checked the iptables which is same as my prevous version.
But filezilla successfully login.
So I would like konw what is the different between edit iptables manually and use system-config-firewall to open port(s)?

birdwatcher 28th February 2012 06:12 PM

Re: what's different between edit iptables and system-config-firewall
 
Did you type something like this when root:
Quote:

service iptables restart
If I remember correct the manual editing wont take effect until you reboot the computer (unless iptables is restarted). And that could be a reason for no effect taking place (or your rule is just wrong/ or some other rule was blocking the connection).

RHamel 28th February 2012 06:49 PM

Re: what's different between edit iptables and system-config-firewall
 
I don't think that is the case. The problem is about the order of the rules. In other words your rule comes after the reject catch all rule when you are issuing your iptables rule. If you change the -A to -I it should make a difference.

SteveGYBE 28th February 2012 06:59 PM

Re: what's different between edit iptables and system-config-firewall
 
What went wrong when you manually edited the iptables is you forgot FTP's data port (20/TCP). Port 21 is the control channel, which allows you to connect to an FTP server and issue commands. However, when you issue a LIST command for example the directory listing is sent back via the data channel for which you hadn't set up a rule, hence the error.

If you run "iptables-save" as root when things are working, you will see the iptables configuration required.

TheNom 28th February 2012 07:27 PM

If you do 'iptables -L' after your manual entry, it will tell you the input rules and in which order. You want the block all last.

RHamel 28th February 2012 09:11 PM

Re: what's different between edit iptables and system-config-firewall
 
I don't think you need a rule for port 20. I note that the GUI firewall does not create that rule.

beaker_ 28th February 2012 09:25 PM

Re: what's different between edit iptables and system-config-firewall
 
Not only ports 20 & 21 but I believe ftp will use higher ports (1024 rings a bell but it's been a while) depending if configured for active/passive connections.

Mainsun 29th February 2012 03:03 PM

Re: what's different between edit iptables and system-config-firewall
 
Thx for replying.
I have restarted the service after I have edit iptables.
The main point is ...

edit manually
Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUPUT ACCEPT[0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

service iptables restart --> ok
test by filezilla --> fail
use system-config-firewall enable 21
The iptables is the same
test by filezilla -> ok

RHamel 29th February 2012 06:55 PM

Re: what's different between edit iptables and system-config-firewall
 
try running as root:
Code:

# iptables-restore

Mainsun 2nd March 2012 02:11 PM

Re: what's different between edit iptables and system-config-firewall
 
i don't think iptables-restore will work.
I just fellow system-config-firewall... it'll the job well.

TonyThePony 26th April 2012 09:58 PM

Re: what's different between edit iptables and system-config-firewall
 
Hey Mainsun!

I've noticed the exact same problem! Can't stay long, just registered to confirm I've seen the same bizarre behaviour in Scientific Linux 6 (binary compatible with RHEL 6)..

Whats even weirder is the following....

I configure iptables from the command line with the following :

iptables -I INPUT 5 -p tcp -m tcp --dport 21 -j ACCEPT

It *should* work, but I receive the same error as you.

Restarting iptables doesnt fix anything (should work without restart anyway)

So I backup /etc/sysconfig/iptables to /etc/sysconfig/iptables.bak

Then I run system-config-firewall and open port 21, all works fine

Then I move /etc/sysconfig/iptables.bak back to /etc/sysconfig/iptables and restart

So I'm using my original config again and its working!!! Wasn't previously.

Stumped.....

TonyThePony 26th May 2012 12:54 PM

Re: what's different between edit iptables and system-config-firewall
 
Just in case anyone stumbles across this ..

The nf_conntrack_ftp module needs to be loaded. Thats why FTP failed with manual configuration. Configuring through system-config-firewall-tui enables this module, but the contents of the iptables chain will look the same.

To use the module, edit the file /etc/sysconfig/iptables-config and add the following entry :


IPTABLES_MODULES="nf_conntrack_ftp"

Restart iptables and there should be no problems

stevea 27th May 2012 09:38 PM

Re: what's different between edit iptables and system-config-firewall
 
Not much. The iptables service merely loads up an iptables config, created by system-config-firewall. The file is the same format as 'iptables-save' produces and is located in /etc/sysconfig/iptables*.

If the editing possible in system-config-firewall is not sufficiently flexible, then create the proper config and save in under sysconfig.


All times are GMT +1. The time now is 04:50 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.