LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables blocking access to ftp share (https://www.linuxquestions.org/questions/linux-security-4/iptables-blocking-access-to-ftp-share-926244/)

ginda 01-28-2012 07:07 PM
iptables blocking access to ftp share
 
Hi all

I have vsftpd running on my machine (host1) which works fine, and the server also runs KVM. I created a KVM virtual machine which boots up fine, but when i point it to the ftp://192.168.1.2/pub (my servers ftp share) it just cannot communicate to it? When i disable iptables it works fine?

I have added ports 20 and 21 to my iptables please see below:

[/CODE]Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:tftp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:syslog
ACCEPT udp -- anywhere anywhere udp dpt:tftp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:ftp
ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:ftp-data
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[/CODE]

anomie 01-28-2012 09:44 PM
Short answer: if your FTP clients will be using PASV, you may need to load the ip_conntrack_ftp module.

For the longer answer, read here: http://www.cyberciti.biz/faq/iptable...s-not-working/

My two cents answer: don't use FTP if you can help it. :)

ginda 01-29-2012 06:13 AM
Quote:
Originally Posted by anomie (Post 4587140)
Short answer: if your FTP clients will be using PASV, you may need to load the ip_conntrack_ftp module.

For the longer answer, read here: http://www.cyberciti.biz/faq/iptable...s-not-working/

My two cents answer: don't use FTP if you can help it. :)

OMG your 100% right, i did modprobe ip_conntrack_ftp and the install client downloaded the install.img file straight away.


All times are GMT -5. The time now is 11:07 PM.