iptables firewall/ftp problem

JR jr at JohnRudnick.com
Fri Jun 4 15:32:22 UTC 2004 

Steve do something like this:

IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

$MODPROBE -v ip_conntrack_ftp

$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW

$IPTABLES -A OUTPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
$IPTABLES -A OUTPUT -p tcp -j ACCEPT --dport 20 -m state --state NEW


JR

--
John Rudnick | http://JohnRudnick.com | 847-541-2811

Ask Me About Top Notch Web Hosting & Programming!

RHCE# 808003122507415, MySQL# 206067847




-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Steve Buehler
Sent: Friday, June 04, 2004 10:22 AM
To: redhat-list at redhat.com
Subject: iptables firewall/ftp problem


I have been trying to learn how to use iptables for a firewall on RHEL
3.x 
and it seems pretty easy.  I have one problem though.  When it is setup
on 
two systems, I can't ftp.  Here are the firewall rules, from and
"iptables 
-L" that are identical on both machines that should allow ftp from
anywhere 
and all ports open on the local network.  This is the first rule in the 
firewall tables.
ACCEPT     tcp  --  anywhere             anywhere           tcp
multiport 
dports ssh,ftp,ftp-data,http,https,smtp,10000

Ftp will connect, but when I try to do an 'ls' in ftp or ncftp, I get:
NcFTP 3.1.7 (Jan 07, 2004) by Mike Gleason
(http://www.NcFTP.com/contact/). Connecting to 
192.168.1.3...
(vsFTPd 1.2.1)
Logging 
in...
Login successful.
Logged in to 
192.168.1.3.
ncftp /home/steve > ls
connect failed: No route to host.
Falling back to PORT instead of PASV mode.
Could not accept a data connection: Connection timed out.
List failed.

I have turned passive mode of and passive mode on and get pretty much
the 
same results either way.  I can ftp to either server from another linux
box 
that does NOT have an iptables firewall on it.  I have even tried
opening 
both machines up so that anything coming from the internal network of 
192.168.1/24 (and 192.168.1.0/24) will allow everything.  Still get the 
same results.  The only way that I seem to be able to get it to work at
all 
is if I turn the firewall OFF all together on at least one of the 
machines.  I know there is something that I must be missing.  Any help 
would be appreciated.

Thanks
Steve


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list