[SOLVED] vsftpd and iptables won't play together

slackin1stimer · 02-17-2013, 02:38 AM

In a nutshell I am unable to access my vsftp server while my firewall is active despite opening the correct ports--AFAIK. I recently switched my home server from CentOS 6.3 to Slackware 14. I am using the same iptables configuration as before, but now I have a quirk. I am by no means skilled at using iptables--I simply followed the suggestions on the CentOS wiki as follows:
# iptables -P INPUT ACCEPT
# iptables -F
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
(Added by me) -A INPUT -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT
(Added by me) -A INPUT -p tcp --dport 21 -j ACCEPT
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -L -v

Now with the above setup I can remotely access my webserver and ssh no problem, but not vsftpd. I am able to access vsftpd from the server itself but remote access is the whole point

If I remove the "iptables -P INPUT DROP" line then vsftpd becomes accessible. I googled several sources regarding opening up the correct ports in iptables to allow access to vsftpd and am pretty sure I entered the correct info. I would like to be able to use my firewall and vsftpd at the same time. Any help or shove in the right direction would be greatly appreciated. I am really stumped by this one and it pains me to have to go to bed with this unsolved, but mine eyes are tired and the screen be fuzzy.

unSpawn · 02-17-2013, 09:28 AM

Active FTP requires minimally TCP/21 (control) and TCP/20 (data). FTPS uses TCP/990. For PASV mode also see the pasv* settings in vsftpd .conf:

Code:

INPUT -P ACCEPT
FORWARD -P DROP
OUTPUT -P ACCEPT
INPUT -i lo -j ACCEPT
INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
INPUT -m state --state NEW -m limit --limit 3/s -j LOG --log-prefix "IN_inv "
INPUT -m state --state INVALID -j REJECT
INPUT -p tcp -s 192.168.1.0/24 -m state --state NEW --dport 80 -j ACCEPT
INPUT -p tcp -m multiport --dports 20:22,990 -m state --state NEW -j ACCEPT
INPUT -m state --state NEW -m limit --limit 3/s -j LOG --log-prefix "IN_rej "
INPUT -m state --state NEW -j REJECT

*You need to add some ICMP rules to the above.

**BTW if you post iptables rules it's better to post output of 'iptables-save'.

slackin1stimer · 02-17-2013, 04:08 PM

I think I found the problem. While googling I noticed a few posts re: CentOS and needing to "modprobe ip_conntrack_ftp" so I tried it and that has solved my problem. Slackin' off always teaches me something

And of course to enable the module at boot one can edit /etc/rc.d/rc.modules which thankfully included a line for ip_conntrack_ftp that only needed to be uncommented