Hi,

I have been strugling with some problems here and I just realized they are caused by my firewall. I was wondering if anyone could give me some advice here. I am trying to get SSL to work w/ apache and it is all configured and running. If I stop iptables I can connect to it correctly. So the only cause can be iptables I have the same problem w/ my FTP server.

HTTPS --> port 443
FTP --> port 34012 (I would rather not use the standard port)

Can anyone help me, please?

My rules:
# Generated by iptables-save v1.3.5 on Fri Apr 7 12:38:27 2006
*raw
:PREROUTING ACCEPT [9397:898320]
:OUTPUT ACCEPT [9159:1463145]
COMMIT
# Completed on Fri Apr 7 12:38:27 2006
# Generated by iptables-save v1.3.5 on Fri Apr 7 12:38:27 2006
*nat
:PREROUTING ACCEPT [64:13883]
:POSTROUTING ACCEPT [27:3880]
:OUTPUT ACCEPT [27:3880]
COMMIT
# Completed on Fri Apr 7 12:38:27 2006
# Generated by iptables-save v1.3.5 on Fri Apr 7 12:38:27 2006
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [323:29805]
-A INPUT -p tcp -m multiport --dports 139,445 -j ACCEPT
-A INPUT -p udp -m multiport --dports 137,138 -j ACCEPT
-A INPUT -p udp -m udp --dport 67:69 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 34012 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
COMMIT
# Completed on Fri Apr 7 14:11:07 2006

My guess from looking at the rules you posted is that it's the REJECT statement:

The REJECT statement doesn't appear to have any constraints except that it's an input package, so everything that reaches this rule will be rejected and the rules after it will never be checked. Both your SSL and FTP rules are after this REJECT rule.

You are right. I moved that rule down and it worked. I wasnt aware that the rules were checked in the order they are written. Will be more careful next time. Now I can connect from everywhere except for making file transfers which indicates me that I dont have a valid data channel. I can issue all commands fine so I have a woring control channel. What other ports do I have to open to make sure transfers will take place?

I have this in my proftpd.conf:

PassivePorts 30098 30197

I am going to open them now and see what happens. Thanks for your reply!

----------------------------------
EDIT
I open those ports in my router and firewall and when I try to use it this is what i get:
for a "ls" command.
425 Unable to build data connection: Connection refused

All connections are being forwarded to my server now and all ports should be open. This is how I did it:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:30098:30197

Can you help me?

make sure you have the ip_conntrack_ftp module loaded...

hi iam new member i hope get some help ..

i need to know about ip table .. (blocking and forward) which command type to do this ... iam wait ..

Why is the rule -A INPUT -p tcp -m tcp --sport 443 -j ACCEPT ??? I think it should be the destination port 443, not the source port.

A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

And as win32sux already mentioned, you should check if ip_conntrack_ftp module is loaded. Just type "lsmod" and see if it is in there.

I changed it. Thanks. But what was really blocking my https was this line:

-A INPUT -j REJECT --reject-with icmp-port-unreachable

It should be the last one not in the middle as it was before. After I moved it down I got it to work. But no success w/ my FTP yet. I believe it is a router problem.

did you confirm the ftp module is loaded??

I tried lsmod but nothing returned. I am running 2.6.15 Gentoo here.

Module Size Used by
snd_dummy 11328 0
s2io 57160 0
i2c_core 19712 0
nvidia 4855984 0

I guess it is built in the kernel:

grep TRACK .config
CONFIG_IP_NF_CONNTRACK=y <========= Right?
CONFIG_IP_NF_CONNTRACK_MARK=y
CONFIG_IP_NF_CONNTRACK_EVENTS=y
# CONFIG_IP_NF_CONNTRACK_NETLINK is not set
CONFIG_IP_NF_MATCH_CONNTRACK=y
# CONFIG_IP_NF_TARGET_NOTRACK is not set

Just try: insmod ip_conntrack_ftp
And check with lsmod if the module gets loaded.

what you are pointing to there is just the general conntrack, not the FTP specific...

i'm on linux 2.4, but here's what my .config looks like, as well as the loaded module:

Ok. I have it:
grep FTP /usr/src/linux/.config
CONFIG_IP_NF_FTP=y <<<<<====== built in.
# CONFIG_IP_NF_TFTP is not set
CONFIG_IP_NF_NAT_FTP=y <<<<<====== built in.

It works now. I changed it to the default port as suggested in a different thread. I will leave it as is for now since this is a temporary setup. Once my friend is done w/ his transfer I will kill proftpd again.

So, to help booksh, if this is what he is looking for:
0)make sure you have kernel requirements, you can check it by "grep PARAMETER /usr/src/linux/.config":
CONFIG_IP_NF_FTP=m or y (if you use module use lsmod to check if it loaded)
CONFIG_IP_NF_NAT_FTP=m or y
CONFIG_IP_NF_CONNTRACK=y or m
1) set the router to forward ports for FTP, here I used 20 and 21. Dont forget the passive mode ports too. I used 30098 to 30197.
2)open these ports in your firewall:
iptables -A INPUT -p tcp -m tcp --dport 30098:30197 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
3)follow the instructions to setup proftpd that are easily available.
4)start the server, /etc/init.d/proftpd start
5)have fun!