LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Little vsftpd +iptables problem
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-14-2005, 07:36 PM   #1
yvesg
Member
 
Registered: May 2004
Distribution: SuSe v9.3 Professional
Posts: 33

Rep: Reputation: 15
Little vsftpd +iptables problem

I have a little problem with my iptables firewall script:

I have set up a ftp server (vstpd) on my linux box.
The ftp server runs on port 50021, and is set in passive mode.
The ports for passive mode are limited from 20000 to 50000

I can connect to the ftp server, but I get a listing error. (Probably because the passive ports are blocked on my ftp server)

Here is a log from my ftp client:

....
[R] 230 Login successful.
[R] SYST
[R] 215 UNIX Type: L8
[R] FEAT
[R] 211-Features:
[R] EPRT
[R] EPSV
[R] MDTM
[R] PASV
[R] REST STREAM
[R] SIZE
[R] TVFS
[R] 211 End
[R] PWD
[R] 257 "/home/yvesg"
[R] TYPE A
[R] 200 Switching to ASCII mode.
[R] PASV
[R] 227 Entering Passive Mode (84,194,48,3,150,5)
[R] Opening data connection IP: 84.194.48.3 PORT: 38405
[R] Data Socket Error: Connection timed out
[R] List Error
.....

In my firewall script I have loaded the ip_conntrack_ftp and ip_nat_ftp modules.

I also implemented the following lines:

#Loading necessary modules
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

#Opening ports 50021 50022 50080
${IPTABLES} -A INPUT -i eth0 -p tcp --dport 50021 -m state --state NEW,ESTABLISHED -j ACCEPT
${IPTABLES} -A INPUT -i eth0 -p tcp --dport 50022 -m state --state NEW,ESTABLISHED -j ACCEPT
${IPTABLES} -A INPUT -i eth0 -p tcp --dport 50080 -m state --state NEW,ESTABLISHED -j ACCEPT

#Setting rules for connection tracking
${IPTABLES} -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
${IPTABLES} -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT


what is wrong ?
 
Old 08-15-2005, 03:23 PM   #2
vimico
Member
 
Registered: Jan 2004
Distribution: Debian, Ubuntu
Posts: 118

Rep: Reputation: 15
The iptables helper ip_conntrack_ftp monitors the data stream between ftp client and ftp server in order to determine which additional ports have to be opened for the connection.

It expects that this conversation takes place on the default ftp port (21).

You are using a different port, and ip_conntack_ftp does not know that. It still monitors port 21, blissfully unaware of anything else around it.

Use the following to tell the helper app an which port your ftp connection will take place:

Code:
modprobe ip_conntrack_ftp ports=50021
FYI: (not necessary in this case) ports can take more than one argument. Use ports=X,Y,Z
 
Old 08-15-2005, 04:27 PM   #3
yvesg
Member
 
Registered: May 2004
Distribution: SuSe v9.3 Professional
Posts: 33

Original Poster
Rep: Reputation: 15
Tried to implement this in the firewall script, but the problem still exists
 
Old 08-15-2005, 05:55 PM   #4
yvesg
Member
 
Registered: May 2004
Distribution: SuSe v9.3 Professional
Posts: 33

Original Poster
Rep: Reputation: 15
fixed it myself

It seems that the module still needs the original ftp port
So the command needs to be:

modprobe ip_conntrack_ftp ports=21,50021
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD with 500 oops :vsftpd: missing argv[0] mole_13 Linux - Newbie 0 05-04-2005 01:05 AM
iptables and vsftpd on firewall box - can't connect radiowhiz Linux - Networking 6 03-30-2005 12:03 PM
IPtables for VSFTPD problem ryancoolest Linux - Security 3 03-12-2004 06:44 AM
vsftpd + iptables problems on RedHat 9 rexmundi Linux - Networking 1 10-17-2003 05:54 AM
vsftpd problem with iptables bodimir Linux - Networking 2 07-25-2003 04:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:23 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration