Hello Everyone,

My FTP users can login but can not send/receive data when I use the below iptables configuration.
Can someone make any recommendation to resolve the FTP connection issue.
Thanks for your help.

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [131962:7397220]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

You ned to turn on FTP connection tracking. Here is a quick howto:

http://www.cyberciti.biz/faq/iptable...s-not-working/

HTH

Forrest

Are you loading the correct connection tracking modules in your /etc/sysconfig/iptables-config file? Something like this:-
IPTABLES_MODULES="ip_conntrack_ftp nf_conntrack_netbios_ns"

The rule you have for port 20 is not necessary (only port 21 is). The RELATED,ESTABLISHED rule will pick-up the client's data connection, which won't happen on port 20 anyway (not in passive mode). Your issue is most likely caused by not having FTP connection tracking support in your kernel, or not having the FTP connection tracking module loaded. Try doing a:BTW, I'm moving this to Networking, as it isn't a security issue.

Sorry, pasted the wrong URL. That one may help, but this one is better:

http://www.cyberciti.biz/tips/how-do...g-feature.html

HTH

Forrest

I was reading on the net and I see suggestions for opening ports greater than 1024.

Do you think adding this iptables line will resolve this FTP connection issue?

iptables -I RH-Firewall-1-INPUT 9 -p tcp -m state --state ESTABLISHED,RELATED -m tcp --sport 1024: --dport 1024: -j ACCEPT

Thanks for your help.

That definitely made sense like 10 years ago when we didn't have connection tracking. Today, such a rule would be completely insane. Connection tracking makes this sort of security nightmare totally unnecessary. As has already been said, for FTP services you only need port 21 open.

No, at least not without FTP connection tracking. See, for Netfilter to know that the state of those FTP data connection packets is RELATED or ESTABLISHED it would need to have FTP connection tracking support enabled in the first place - which you apparently don't have AFAICT. Note that if this rule would work, it would be redundant, as it would imply that your current RELATED,ESTABLISHED rule was working originally. You won't need to make any additional RELATED,ESTABLISHED rules once you've got FTP connection tracking working.

You could remove the state matches from the rule and do it like we're in 1998 like:And that should work - but it's a terrible way to address your problem, and is NOT recommended.

Your issue is best addressed by tracking the FTP connections, not by poking giant holes in your firewall.

Thank you for your help.

I was not familiar with FTP connection tracking module. As soon as I typed:

modprobe ip_conntrack_ftp


FTP starts working - no problem.

Do I need to reload this module or retype this command every time I restart the server?

Is there some entry level resources about tracking module that I can read on the net?

Thanks again - I appreciate everyone's help.

As I posted earlier, add this to your /etc/sysconfig/iptables.conf file:-This will ensure that connection tracking is loaded when your firewall starts.

I'm running CentOS 5 and the file /etc/sysconfig/iptables.conf does not exist.

Should I create a new file?

Is there a default configuration file I can look for?

Thanks

Sorry, the file is called iptables-conf, not .conf. Just look for files in /etc/sysconfig starting with iptables.