can't connect via ftp on my lan...this is iptapbles configurations....

loboautoma · 01-24-2005, 07:06 AM

hi, i can't access ftp in my lan. I have 2 hosts.
1 with linux is the gateway on eth0, the other one is my personal pc connected to eth1. I configured the iptables so:

# Generated by iptables-save v1.2.9 on Mon Jan 24 11:45:26 2005
*filter
:INPUT DROP [53:5664]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [857:85837]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s xxxxxxxx/xxxxxxxxx -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Jan 24 11:45:26 2005
# Generated by iptables-save v1.2.9 on Mon Jan 24 11:45:26 2005
*nat
:PREROUTING ACCEPT [88:5432]
:POSTROUTING ACCEPT [31:4334]
:OUTPUT ACCEPT [122:12260]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jan 24 11:45:26 2005

....why the ftp is not functioning? May be i need configuring some iptables command for eth1?

Note: i'm an italian linux beginner.....thanx for any help!

Demonbane · 01-24-2005, 07:38 AM

Are you able to to login the ftp server(ie you see the welcome message ans such) but unable to establish data transfer, or you cannot connect at all?
by the way if you're running standard services on these ports you don't need to open udp port 21,22 and 80

loboautoma · 01-24-2005, 07:53 AM

thanx for your time....
i have the account, username and passwd....but i can't connect....the linux does not permit the connection.....is not a problem about file trasnfert but it's about a refused ftp connection....!!! can you help me???

Demonbane · 01-24-2005, 07:56 AM

Are you able to ftp using localhost?

loboautoma · 01-24-2005, 08:20 AM

from the linux to the web i can use the ftp....but i can't use it from my pc to the linux....
.the internal pc should be ok for any ftp connection....i conneced it to a console and it was ok...but connecting to the linux host the connection is refused......sorry for my english....

loboautoma · 01-24-2005, 09:09 AM

i'm not able also to ftp from linux to the internal pc....

loboautoma · 01-24-2005, 09:20 AM

i also proved these commands line:

iptables -A FORWARD -j REJECT
iptables -A OUTPUT -p tcp --sport 1024: --dport ftp -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport ftp-data -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -j ACCEPT
iptables -A OUTPUT -j REJECT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

but nothing to do.....something is wrong! shure!

loboautoma · 01-24-2005, 09:54 AM

i only need the correct pitables rules from scratch to ftp from my pc in the LAN to the linux gateway....thanx to any

Chowroc · 01-24-2005, 11:37 AM

In post #1, there is no rules of eth1 in chain INPUT of iptables. I think that's the problem.

loboautoma · 01-25-2005, 04:28 AM

thanx for your time Chowroc....
i'll prove with some rule for eth1!

fr_laz · 01-25-2005, 05:23 AM

Hi,

If you want to attempt ftp connections THROUGH your linux box, you've got to insert rules in the FORWARD section since you did
iptables -A FORWARD -j REJECT

So before this line I'll do this (if eth0 is your ext iface & eth1 your int iface)

# These modules are for ftp connexion tracking.
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

# TCP :
iptables -A FORWARD -i eth0 -o eth1 -p tcp -sport 20:21 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p tcp -dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT

# UDP :
iptables -A FORWARD -i eth0 -o eth1 -p udp -sport 20:21 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -p udp -dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT

# Then the file transfer itself is done on others ports
iptables -I FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -I FORWARD -i eth0 -o eth1 -p udp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -I FORWARD -i eth1 -o eth0 -p udp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

and finish with
iptables -A FORWARD -j REJEC

Hope this helps, bye...

loboautoma · 01-25-2005, 08:04 AM

many thanx....wanderful helps.....
i'll prove that commands this evening.....they are advanced rules for my linux beginner head....

i'll tell you if all it's ok!

loboautoma · 02-05-2005, 09:43 AM

hi! the problem is solved!
In reality there was not wrong lines with iptables but i needed only one very stupid (as me) line:

ftpd -p 21

This to activate the DARPA server process.....that is a service that listens at the port 21.....i'm sorry but i didn't know this simple thing...my distribution (mandrake 10.0), i don't know for the other ones, doesn't provide an automatic service, maybe for security reasons, and you must abiltate the correct one......

At the end for the firwall i decided to use a very good one, ideal for my configuration (eth0 inet Linux, eth1 LAN windows), found at this link:

http://www.faqs.org/docs/iptables/in...nfirewall.html

where i changed the chain INPUT for tcp packets on ports 21, commenting it to not accept ftp connection from internet.....

thanz to all, see you soon
lobohead