LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions
User Name
Password
Linux - Distributions This forum is for Distribution specific questions.
Red Hat, Slackware, Debian, Novell, LFS, Mandriva, Ubuntu, Fedora - the list goes on and on... Note: An (*) indicates there is no official participation from that distribution here at LQ.

Notices

Reply
 
Search this Thread
Old 11-11-2005, 06:02 PM   #1
Thin
LQ Newbie
 
Registered: Jul 2004
Location: Southern England
Distribution: Mandriva / Gentoo / CentOS
Posts: 27

Rep: Reputation: 15
Question CentOS Opening port for FTP Server


Hi all

I've had a read around, and will admit i'm finding it difficult to work out precisely how to do this.

Before trying to modify

iptables --list

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


I had a read through the documentation and issued the following

iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT


After this,

iptables --list


Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited


Now, I *think* from what i've read that this rule should be active and allowing FTP connections to the server (it isn't) and that this setup isn't actually saved to disk until I issue a further command.

So a few questions

1. Why isn't my FTP rule working - I bet i've cocked it up haven't I
2. Do I need a rule for passive FTP - something like iptables -A INPUT -p tcp --dport 50000:50050 -j ACCEPT
3. As I understand it, rules have to be entered in a specific order, so if you have a 'reject everything' rule it must be last to allow your 'allow whatever' rules to pass. How does this work when adding rules at the command line as I am doing above?

Sorry for the long post and thanks very much in advance for any replies

Edit - Just noticed this may be better placed in networking - sorry

Last edited by Thin; 11-11-2005 at 06:20 PM.
 
Old 11-11-2005, 08:53 PM   #2
Thin
LQ Newbie
 
Registered: Jul 2004
Location: Southern England
Distribution: Mandriva / Gentoo / CentOS
Posts: 27

Original Poster
Rep: Reputation: 15
just for reference...

cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
 
Old 11-12-2005, 10:22 AM   #3
Thin
LQ Newbie
 
Registered: Jul 2004
Location: Southern England
Distribution: Mandriva / Gentoo / CentOS
Posts: 27

Original Poster
Rep: Reputation: 15
Ok, i've restarted iptables to get rid of my modifications and done a little more reading

Am I right in assuming this will get FTP working for me?

iptables -I INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -j ACCEPT
service iptables save


For reference current iptables --list

Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT ipv6-crypt-- anywhere anywhere
ACCEPT ipv6-auth-- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
 
Old 11-16-2005, 12:38 PM   #4
msound
Member
 
Registered: Jun 2003
Location: SoCal
Distribution: CentOS
Posts: 465

Rep: Reputation: 30
Gnome on CentOS has a nice GUI tool that let's you open and close ports.
Applications >> Server Settings >> Security Level I believe.
You could always give that a try. It's what I used to open up the FTP port on my home CentOS server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Saving/opening files directly on/from FTP server saurya_s Linux - Software 0 02-03-2004 03:54 PM
opening port for a game server Ashtray Linux - Networking 8 07-16-2003 08:33 AM
Port forward ftp to windoz server (lan) dulaus Linux - Networking 6 06-11-2003 04:08 PM
FTP Server..... opening of ports and all that Daniel Linux - Networking 2 12-12-2002 10:43 AM
How to prevent X server from opening port 6000 glock19 Linux - General 5 05-23-2002 04:19 PM


All times are GMT -5. The time now is 04:34 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration