LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-14-2006, 07:54 PM   #1
dcdbutler
Member
 
Registered: Jan 2005
Location: Boston
Distribution: slackware
Posts: 502

Rep: Reputation: 30
iptables rule for ftp


Hi,
I was wondering if someone could suggest a rule or combination of rules to allow vsftpd to work behind iptables? It works when the firewall is down.
This is the rule I have at the moment which is not working

Code:
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
I'm using vsftpd to allow local users access to a shared folder.

my vsftp.conf file:

Code:
anonymous_enable=NO
local_enable=YES
write_enable=NO
local_umask=022
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
#chown_uploads=YES
#chown_username=whoever
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
#nopriv_user=ftpsecure
#async_abor_enable=YES
#ascii_upload_enable=YES
#ascii_download_enable=YES
ftpd_banner=Welcome to the back-side of eternity: Unauthorised use PROHIBITED
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
ls_recurse_enable=YES
listen=YES
anon_max_rate=40000
local_max_rate=40000
#listen_port=2121
pam_service_name=vsftpd
#userlist_enable=YES
check_shell=NO
Thanks
 
Old 10-14-2006, 08:21 PM   #2
musicman_ace
Senior Member
 
Registered: May 2001
Location: Indiana
Distribution: Gentoo, Debian, RHEL, Slack
Posts: 1,555

Rep: Reputation: 46
You'll need both the control and data ports (20,21). But this bring in the Active or Passive ftp server arguement. I'd have to google it, but one of them opens a dynaic random port while the other only uses the (20,21) ports.
 
Old 10-14-2006, 08:48 PM   #3
dcdbutler
Member
 
Registered: Jan 2005
Location: Boston
Distribution: slackware
Posts: 502

Original Poster
Rep: Reputation: 30
OK, I think I might be getting somewhere.

Code:
modprobe ip_conntrack_ftp
seems to solve the connection problem with passive ftp.

Any suggestions for improved iptables rules are still welcome.

Cheers
 
Old 10-14-2006, 08:49 PM   #4
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
And you generally need an ESTABLISHED,RELATED rule to deal with the dymanic higher ports
 
Old 10-14-2006, 09:29 PM   #5
jcliburn
Member
 
Registered: Dec 2003
Location: Mississippi, USA
Distribution: Fedora
Posts: 435

Rep: Reputation: 33
In vsftpd.conf, use pasv_min_port and pasv_max_port to establish a range of passive ports you'd like to use. Then add a rule in iptables that unblocks those ports.

Example:
vsftpd.conf
pasv_enable=YES
pasv_min_port=11001
pasv_max_port=11010

iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 11001:11010 -j ACCEPT
 
Old 10-15-2006, 12:12 PM   #6
dcdbutler
Member
 
Registered: Jan 2005
Location: Boston
Distribution: slackware
Posts: 502

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by jcliburn
.......
pasv_enable=YES
pasv_min_port=11001
pasv_max_port=11010

-A INPUT -p tcp --dport 11001:11010 -j ACCEPT
I think this helped deal with another problem I was having for local user access. Users were getting prompted for passwords at unusual times, for example, when trying to descend into a sub-directory within the root directory, I think this must have been because passive connections were being lost.

Thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Default Rule in Iptables winxlinx Linux - Networking 12 12-08-2011 02:42 AM
iptables port 80 rule Q doronunu Linux - Security 3 06-04-2006 06:55 PM
What is it doing this iptables rule?? lanczer Linux - Security 1 02-24-2006 11:26 AM
help with iptables rule!! vishamr2000 Linux - Security 6 11-09-2005 05:34 AM
IPTables Rule... Grim Reaper Linux - Software 8 04-28-2003 12:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 10:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration