iptables blocking access to ftp share
Hi all
I have vsftpd running on my machine (host1) which works fine, and the server also runs KVM. I created a KVM virtual machine which boots up fine, but when i point it to the ftp://192.168.1.2/pub (my servers ftp share) it just cannot communicate to it? When i disable iptables it works fine? I have added ports 20 and 21 to my iptables please see below: [/CODE]Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:tftp ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT udp -- anywhere anywhere udp dpt:syslog ACCEPT udp -- anywhere anywhere udp dpt:tftp ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:ftp ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:ftp-data REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [/CODE] |
Short answer: if your FTP clients will be using PASV, you may need to load the ip_conntrack_ftp module.
For the longer answer, read here: http://www.cyberciti.biz/faq/iptable...s-not-working/ My two cents answer: don't use FTP if you can help it. :) |
Quote:
OMG your 100% right, i did modprobe ip_conntrack_ftp and the install client downloaded the install.img file straight away. |
All times are GMT -5. The time now is 11:07 PM. |