iptables blocking access to ftp share

ginda · 01-28-2012, 07:07 PM

Hi all

I have vsftpd running on my machine (host1) which works fine, and the server also runs KVM. I created a KVM virtual machine which boots up fine, but when i point it to the ftp://192.168.1.2/pub (my servers ftp share) it just cannot communicate to it? When i disable iptables it works fine?

I have added ports 20 and 21 to my iptables please see below:

[/CODE]Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:tftp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:syslog
ACCEPT udp -- anywhere anywhere udp dpt:tftp
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:ftp
ACCEPT tcp -- 192.168.122.0/24 anywhere tcp dpt:ftp-data
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[/CODE]

anomie · 01-28-2012, 09:44 PM

Short answer: if your FTP clients will be using PASV, you may need to load the ip_conntrack_ftp module.

For the longer answer, read here: http://www.cyberciti.biz/faq/iptable...s-not-working/

My two cents answer: don't use FTP if you can help it.

ginda · 01-29-2012, 06:13 AM

Quote:

Originally Posted by anomie

Short answer: if your FTP clients will be using PASV, you may need to load the ip_conntrack_ftp module.

For the longer answer, read here: http://www.cyberciti.biz/faq/iptable...s-not-working/

My two cents answer: don't use FTP if you can help it.

OMG your 100% right, i did modprobe ip_conntrack_ftp and the install client downloaded the install.img file straight away.