what's different between edit iptables and system-config-firewall

Mainsun · #1 26th February 2012, 03:37 AM

I am going to open port 21 for my anonymous ftp in vsftpd.
I use default setting for anonymous to connect /var/ftp/pub in vsftpd.conf and start vsftpd successfully.
I try to edit /etc/sysconfig/iptables and append a line

-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
to open port 21 for ftp.
I use filezilla to test from my win7, it can connect "passive mode" to my fedora but fail with errors:

Error: Connection timed out
Error: Failed to retrieve directory listing

To solve it, i have to use system-config-firewall to open port 21, I have checked the iptables which is same as my prevous version.
But filezilla successfully login.
So I would like konw what is the different between edit iptables manually and use system-config-firewall to open port(s)?

#2 28th February 2012, 06:12 PM

Did you type something like this when root:

Quote:

service iptables restart

If I remember correct the manual editing wont take effect until you reboot the computer (unless iptables is restarted). And that could be a reason for no effect taking place (or your rule is just wrong/ or some other rule was blocking the connection).

RHamel · #3 28th February 2012, 06:49 PM

I don't think that is the case. The problem is about the order of the rules. In other words your rule comes after the reject catch all rule when you are issuing your iptables rule. If you change the -A to -I it should make a difference.

SteveGYBE · #4 28th February 2012, 06:59 PM

What went wrong when you manually edited the iptables is you forgot FTP's data port (20/TCP). Port 21 is the control channel, which allows you to connect to an FTP server and issue commands. However, when you issue a LIST command for example the directory listing is sent back via the data channel for which you hadn't set up a rule, hence the error.

If you run "iptables-save" as root when things are working, you will see the iptables configuration required.

TheNom · #5 28th February 2012, 07:27 PM

If you do 'iptables -L' after your manual entry, it will tell you the input rules and in which order. You want the block all last.

RHamel · #6 28th February 2012, 09:11 PM

I don't think you need a rule for port 20. I note that the GUI firewall does not create that rule.

beaker_ · #7 28th February 2012, 09:25 PM

Not only ports 20 & 21 but I believe ftp will use higher ports (1024 rings a bell but it's been a while) depending if configured for active/passive connections.

Mainsun · #8 29th February 2012, 03:03 PM

Thx for replying.
I have restarted the service after I have edit iptables.
The main point is ...

edit manually

Code:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUPUT ACCEPT[0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

service iptables restart --> ok
test by filezilla --> fail
use system-config-firewall enable 21
The iptables is the same
test by filezilla -> ok

RHamel · #9 29th February 2012, 06:55 PM

try running as root:

Code:

# iptables-restore

Mainsun · #10 2nd March 2012, 02:11 PM

i don't think iptables-restore will work.
I just fellow system-config-firewall... it'll the job well.

TonyThePony · #11 26th April 2012, 09:58 PM

Hey Mainsun!

I've noticed the exact same problem! Can't stay long, just registered to confirm I've seen the same bizarre behaviour in Scientific Linux 6 (binary compatible with RHEL 6)..

Whats even weirder is the following....

I configure iptables from the command line with the following :

iptables -I INPUT 5 -p tcp -m tcp --dport 21 -j ACCEPT

It *should* work, but I receive the same error as you.

Restarting iptables doesnt fix anything (should work without restart anyway)

So I backup /etc/sysconfig/iptables to /etc/sysconfig/iptables.bak

Then I run system-config-firewall and open port 21, all works fine

Then I move /etc/sysconfig/iptables.bak back to /etc/sysconfig/iptables and restart

So I'm using my original config again and its working!!! Wasn't previously.

Stumped.....

TonyThePony · #12 26th May 2012, 12:54 PM

Just in case anyone stumbles across this ..

The nf_conntrack_ftp module needs to be loaded. Thats why FTP failed with manual configuration. Configuring through system-config-firewall-tui enables this module, but the contents of the iptables chain will look the same.

To use the module, edit the file /etc/sysconfig/iptables-config and add the following entry :

IPTABLES_MODULES="nf_conntrack_ftp"

Restart iptables and there should be no problems

stevea · #13 27th May 2012, 09:38 PM

Not much. The iptables service merely loads up an iptables config, created by system-config-firewall. The file is the same format as 'iptables-save' produces and is located in /etc/sysconfig/iptables*.

If the editing possible in system-config-firewall is not sufficiently flexible, then create the proper config and save in under sysconfig.