LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-23-2011, 03:57 AM   #1
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Rep: Reputation: 15
passive ftp behind firewall


Hi

I have a ftp box behind a firewall (iptables). I'm using vsftpd and it works fine on local network but when accessing from outside (internet) isn't working. Vsftpd listens on port 543 and I've also opened ports 12000:12003 for passive mode.
pasv_min_port=12000
pasv_max_port=12003

On router I've made following rule:
iptables -A INPUT -i 192.168.7.128 -m state --state NEW,ESTABLISHED,RELATED -p TCP -s 81.196.50.75 -d 192.168.7.128 --dport 12000:12003 -j ACCEPT
but sadly it doesn't work.
On ftp machine I've stopped firewall.

Any advices will be welcome.

Thanks.
 
Old 02-23-2011, 04:19 AM   #2
corp769
LQ Guru
 
Registered: Apr 2005
Posts: 5,817

Rep: Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002Reputation: 1002
Can you post the output of iptables -L from your router, and your vsftpd.conf file?
 
Old 02-23-2011, 04:51 AM   #3
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Original Poster
Rep: Reputation: 15
iptables -L :

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3
ACCEPT tcp -- anywhere anywhere state NEW tcp dptop3s
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2212
ACCEPT tcp -- 82.77.20.205 anywhere tcp dpt:ssh
ACCEPT tcp -- conextess2.iasi.rdsnet.ro anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

vsftpd.conf:


local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
#userlist_deny=NO
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
listen_port=543
#userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
local_enable=YES
write_enable=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES
check_shell=NO
pasv_min_port=12000
pasv_max_port=12003
 
Old 02-23-2011, 08:41 AM   #4
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Rep: Reputation: 69
Ok you just need an iptable rule for FTP with connection tracking.

This one already shows that you have connection tracking setup.
Code:
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Add something like this
Code:
iptables -I INPUT 6 -p tcp --dport 21 -m state --state NEW -j ACCEPT
This should take care of your issue. When iptables sees that somebody is establishing a FTP connection on port 21, it will tag the request as NEW. Once the TCP handshake occurs it tags that connection as ESTABLISHED. If using passive, those extra ports 12000-12003 will be opened with the RELATED tag. Iptables will automatically add these ports in the background because they are RELATED to the original FTP rule that I have listed above.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp @ MC : could not enter passive mode @ ftp.slackware.com brodo Slackware 3 05-19-2010 04:39 PM
difference between active FTP and Passive FTP prashsharma Linux - Server 2 05-11-2007 02:05 AM
How do I set my FTP server to accept passive FTP? imsam Linux - Newbie 3 12-12-2004 07:22 AM
Passive mode FTP & Firewall Mikessu *BSD 2 07-23-2004 01:12 AM
Configuring firewall rules for passive ftp linuxboy69 Linux - Security 8 01-13-2004 05:38 PM


All times are GMT -5. The time now is 06:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration