what's different between edit iptables and system-config-firewall
 

I am going to open port 21 for my anonymous ftp in vsftpd.
I use default setting for anonymous to connect /var/ftp/pub in vsftpd.conf and start vsftpd successfully.
I try to edit /etc/sysconfig/iptables and append a line

-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
to open port 21 for ftp.
I use filezilla to test from my win7, it can connect "passive mode" to my fedora but fail with errors:

Error: Connection timed out
Error: Failed to retrieve directory listing

To solve it, i have to use system-config-firewall to open port 21, I have checked the iptables which is same as my prevous version.
But filezilla successfully login.
So I would like konw what is the different between edit iptables manually and use system-config-firewall to open port(s)?

Re: what's different between edit iptables and system-config-firewall
 

Did you type something like this when root:
If I remember correct the manual editing wont take effect until you reboot the computer (unless iptables is restarted). And that could be a reason for no effect taking place (or your rule is just wrong/ or some other rule was blocking the connection).

Re: what's different between edit iptables and system-config-firewall
 

I don't think that is the case. The problem is about the order of the rules. In other words your rule comes after the reject catch all rule when you are issuing your iptables rule. If you change the -A to -I it should make a difference.

Re: what's different between edit iptables and system-config-firewall
 

What went wrong when you manually edited the iptables is you forgot FTP's data port (20/TCP). Port 21 is the control channel, which allows you to connect to an FTP server and issue commands. However, when you issue a LIST command for example the directory listing is sent back via the data channel for which you hadn't set up a rule, hence the error.

If you run "iptables-save" as root when things are working, you will see the iptables configuration required.

If you do 'iptables -L' after your manual entry, it will tell you the input rules and in which order. You want the block all last.

Re: what's different between edit iptables and system-config-firewall
 

I don't think you need a rule for port 20. I note that the GUI firewall does not create that rule.

Re: what's different between edit iptables and system-config-firewall
 

Not only ports 20 & 21 but I believe ftp will use higher ports (1024 rings a bell but it's been a while) depending if configured for active/passive connections.

Re: what's different between edit iptables and system-config-firewall
 

Thx for replying.
I have restarted the service after I have edit iptables.
The main point is ...

edit manually
service iptables restart --> ok
test by filezilla --> fail
use system-config-firewall enable 21
The iptables is the same
test by filezilla -> ok

Re: what's different between edit iptables and system-config-firewall
 

try running as root:

Re: what's different between edit iptables and system-config-firewall
 

i don't think iptables-restore will work.
I just fellow system-config-firewall... it'll the job well.

Re: what's different between edit iptables and system-config-firewall
 

Hey Mainsun!

I've noticed the exact same problem! Can't stay long, just registered to confirm I've seen the same bizarre behaviour in Scientific Linux 6 (binary compatible with RHEL 6)..

Whats even weirder is the following....

I configure iptables from the command line with the following :

iptables -I INPUT 5 -p tcp -m tcp --dport 21 -j ACCEPT

It *should* work, but I receive the same error as you.

Restarting iptables doesnt fix anything (should work without restart anyway)

So I backup /etc/sysconfig/iptables to /etc/sysconfig/iptables.bak

Then I run system-config-firewall and open port 21, all works fine

Then I move /etc/sysconfig/iptables.bak back to /etc/sysconfig/iptables and restart

So I'm using my original config again and its working!!! Wasn't previously.

Stumped.....

Re: what's different between edit iptables and system-config-firewall
 

Just in case anyone stumbles across this ..

The nf_conntrack_ftp module needs to be loaded. Thats why FTP failed with manual configuration. Configuring through system-config-firewall-tui enables this module, but the contents of the iptables chain will look the same.

To use the module, edit the file /etc/sysconfig/iptables-config and add the following entry :


IPTABLES_MODULES="nf_conntrack_ftp"

Restart iptables and there should be no problems

Re: what's different between edit iptables and system-config-firewall
 

Not much. The iptables service merely loads up an iptables config, created by system-config-firewall. The file is the same format as 'iptables-save' produces and is located in /etc/sysconfig/iptables*.

If the editing possible in system-config-firewall is not sufficiently flexible, then create the proper config and save in under sysconfig.