Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20/21 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 26th February 2012, 04:37 AM
Mainsun Offline
Registered User
 
Join Date: Feb 2012
Location: Hong Kong
Posts: 26
windows_7ie
what's different between edit iptables and system-config-firewall

I am going to open port 21 for my anonymous ftp in vsftpd.
I use default setting for anonymous to connect /var/ftp/pub in vsftpd.conf and start vsftpd successfully.
I try to edit /etc/sysconfig/iptables and append a line

-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

to open port 21 for ftp.
I use filezilla to test from my win7, it can connect "passive mode" to my fedora but fail with errors:

Error: Connection timed out
Error: Failed to retrieve directory listing

To solve it, i have to use system-config-firewall to open port 21, I have checked the iptables which is same as my prevous version.
But filezilla successfully login.
So I would like konw what is the different between edit iptables manually and use system-config-firewall to open port(s)?
Reply With Quote
  #2  
Old 28th February 2012, 07:12 PM
birdwatcher
Guest
 
Posts: n/a
macoschrome
Re: what's different between edit iptables and system-config-firewall

Did you type something like this when root:
Quote:
service iptables restart
If I remember correct the manual editing wont take effect until you reboot the computer (unless iptables is restarted). And that could be a reason for no effect taking place (or your rule is just wrong/ or some other rule was blocking the connection).
Reply With Quote
  #3  
Old 28th February 2012, 07:49 PM
RHamel Offline
Registered User
 
Join Date: Sep 2004
Location: Denver, Colorado
Posts: 560
linuxfirefox
Re: what's different between edit iptables and system-config-firewall

I don't think that is the case. The problem is about the order of the rules. In other words your rule comes after the reject catch all rule when you are issuing your iptables rule. If you change the -A to -I it should make a difference.
Reply With Quote
  #4  
Old 28th February 2012, 07:59 PM
SteveGYBE Offline
Registered User
 
Join Date: Jun 2007
Location: Lytham St Annes, Lancashire, UK
Posts: 338
linuxfirefox
Re: what's different between edit iptables and system-config-firewall

What went wrong when you manually edited the iptables is you forgot FTP's data port (20/TCP). Port 21 is the control channel, which allows you to connect to an FTP server and issue commands. However, when you issue a LIST command for example the directory listing is sent back via the data channel for which you hadn't set up a rule, hence the error.

If you run "iptables-save" as root when things are working, you will see the iptables configuration required.
Reply With Quote
  #5  
Old 28th February 2012, 08:27 PM
TheNom Online
Registered User
 
Join Date: Jun 2011
Location: UK
Posts: 57
If you do 'iptables -L' after your manual entry, it will tell you the input rules and in which order. You want the block all last.
Reply With Quote
  #6  
Old 28th February 2012, 10:11 PM
RHamel Offline
Registered User
 
Join Date: Sep 2004
Location: Denver, Colorado
Posts: 560
linuxfirefox
Re: what's different between edit iptables and system-config-firewall

I don't think you need a rule for port 20. I note that the GUI firewall does not create that rule.
Reply With Quote
  #7  
Old 28th February 2012, 10:25 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,425
linuxfirefox
Re: what's different between edit iptables and system-config-firewall

Not only ports 20 & 21 but I believe ftp will use higher ports (1024 rings a bell but it's been a while) depending if configured for active/passive connections.
Reply With Quote
  #8  
Old 29th February 2012, 04:03 PM
Mainsun Offline
Registered User
 
Join Date: Feb 2012
Location: Hong Kong
Posts: 26
windows_7ie
Re: what's different between edit iptables and system-config-firewall

Thx for replying.
I have restarted the service after I have edit iptables.
The main point is ...

edit manually
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUPUT ACCEPT[0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
service iptables restart --> ok
test by filezilla --> fail
use system-config-firewall enable 21
The iptables is the same
test by filezilla -> ok
Reply With Quote
  #9  
Old 29th February 2012, 07:55 PM
RHamel Offline
Registered User
 
Join Date: Sep 2004
Location: Denver, Colorado
Posts: 560
linuxfirefox
Re: what's different between edit iptables and system-config-firewall

try running as root:
Code:
# iptables-restore
Reply With Quote
  #10  
Old 2nd March 2012, 03:11 PM
Mainsun Offline
Registered User
 
Join Date: Feb 2012
Location: Hong Kong
Posts: 26
windows_7ie
Re: what's different between edit iptables and system-config-firewall

i don't think iptables-restore will work.
I just fellow system-config-firewall... it'll the job well.
Reply With Quote
  #11  
Old 26th April 2012, 09:58 PM
TonyThePony Offline
Registered User
 
Join Date: Apr 2012
Location: Dublin
Posts: 2
linuxchrome
Re: what's different between edit iptables and system-config-firewall

Hey Mainsun!

I've noticed the exact same problem! Can't stay long, just registered to confirm I've seen the same bizarre behaviour in Scientific Linux 6 (binary compatible with RHEL 6)..

Whats even weirder is the following....

I configure iptables from the command line with the following :

iptables -I INPUT 5 -p tcp -m tcp --dport 21 -j ACCEPT

It *should* work, but I receive the same error as you.

Restarting iptables doesnt fix anything (should work without restart anyway)

So I backup /etc/sysconfig/iptables to /etc/sysconfig/iptables.bak

Then I run system-config-firewall and open port 21, all works fine

Then I move /etc/sysconfig/iptables.bak back to /etc/sysconfig/iptables and restart

So I'm using my original config again and its working!!! Wasn't previously.

Stumped.....

Last edited by TonyThePony; 26th April 2012 at 10:01 PM. Reason: Typo
Reply With Quote
  #12  
Old 26th May 2012, 12:54 PM
TonyThePony Offline
Registered User
 
Join Date: Apr 2012
Location: Dublin
Posts: 2
linuxchrome
Re: what's different between edit iptables and system-config-firewall

Just in case anyone stumbles across this ..

The nf_conntrack_ftp module needs to be loaded. Thats why FTP failed with manual configuration. Configuring through system-config-firewall-tui enables this module, but the contents of the iptables chain will look the same.

To use the module, edit the file /etc/sysconfig/iptables-config and add the following entry :


IPTABLES_MODULES="nf_conntrack_ftp"

Restart iptables and there should be no problems
Reply With Quote
  #13  
Old 27th May 2012, 09:38 PM
stevea Offline
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 9,041
linuxfirefox
Re: what's different between edit iptables and system-config-firewall

Not much. The iptables service merely loads up an iptables config, created by system-config-firewall. The file is the same format as 'iptables-save' produces and is located in /etc/sysconfig/iptables*.

If the editing possible in system-config-firewall is not sufficiently flexible, then create the proper config and save in under sysconfig.
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe
Reply With Quote
Reply

Tags
edit, iptables, systemconfigfirewall

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Bad firewall from system-config-firewall FlyMyPG Security and Privacy 0 4th December 2011 12:27 AM
confirm system-config-firewall crashes/hangs system? Noobification Using Fedora 1 2nd October 2010 05:34 PM
system-config-firewall conradin Servers & Networking 1 25th August 2010 10:48 PM
system-config-firewall is down ?? demuytree Using Fedora 5 2nd November 2008 09:21 AM
Firewall / iptables / system-config-securitylevel doesn't work mice Security and Privacy 8 21st June 2007 04:24 AM


Current GMT-time: 11:21 (Monday, 22-12-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
...ABS-CBN ASAP Studio - Rize Ovit Instagram Photos - Ozoud - Locanda foodvoyager Photos