allowing passive FTP from the outside
Robert Slade
fedora at bathnetworks.com
Sat Apr 2 09:53:43 UTC 2005
On Sat, 2005-04-02 at 10:23, Justin Zygmont wrote:
> I have just run into a new problem with setting up an FTP server. All I
> am trying to do is allow FTP access to the server from the outside. When
> I try to login, and type ls, it reports:
>
> ftp: connect: no route to host
>
> I know the problem is because a nonexistent iptables rule, i'm just at a
> loss as to what the missing rules should look like. The only thing
> that is different in this case is that I need to use port 221 for FTP
> instead of 21, and I don't see why this should require special routing.
> ftp_conntrack modules are loaded. This is the relevant part of my current
> firewall script.
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [24:1341]
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i lo -j ACCEPT
> -A INPUT -i eth1 -j ACCEPT
> -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 221 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
> -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> :OUTPUT ACCEPT [1:72]
> -A POSTROUTING -o eth0 -j MASQUERADE
Why are you using port 221? FTP uses 21 for both active and passive FTP.
Rob
More information about the fedora-list
mailing list