Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a RHEL4 server configured with squid for http and https access.
This box has eth0 ( IP 192.168.0.114 ) connected to LAN and eth1 ( ip 172.16.0.3 ) connected to ADSL Broadband router whose LAN IP is 172.16.0.1 and WAN IP is static one.
This box works as a gateway and all client machines have this only gateway to access internet. I can use everything ( http, https, SMTP and POP3 ) very well from local machine and all clients in the LAN except FTP. Because default configuration of squid allows me and client machines to browse and download data, but cannot upload.
Many of our LAN users use FTP client software to upload and download data, which doesn't work through my Linux box as I could not figure out how to handle port20 and port 21 for FTP.
Please help me for iptables to work for FTP, So that I could be able to use FTP from any client FTP software.
-i would be your public interface. Change it to whatever is appropriate for you, for example if you only want your private LAN to access it, then replace it with the address.
I tried to ftp using ACE ftp software on 192.168.0.66 machine and watched the activity on Linux ( 192.168.0.114 internal interface of gateway ) gateway with iptables on it with the help of iptraf command.
The FTP request arrives on eth0 interface and immediately it is RESET.
There are two iptables entries that are required. The command you have entered will allow the initial ftp connection to IP port 21, but once this connection is established ftp will then pass control to another random IP port. The problem is that the secondary random port is being blocked.
To allow ftp traffic you need to activate connection tracking, then add the rules to iptables (I've assumed there are no iptables ftp rules):
1. enable ftp connection tracking:
edit /etc/sysconfig/iptables-config
modify IPTABLES_MODULES to include ip_conntrack_ftp
(ie, IPTABLES_MODULES="ip_conntrack_ftp")
2. add iptables rules:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISH,RELATED -j ACCEPT
I done this a couple of times and it worked for me.
I have tried with the commands given by you for FTP to work through iptables.
But there is strange problem.
I am using ACE ftp software. Before using commands given by you it was not even connecting to gateway machine.
But now it tries to connect and after few seconds it comes out with a message
421 proxy tried to loop, Closing connection
Failed to connect to firewall.
1. In separate terminal windows (it's just easier):
tail -f /var/log/messages > /tmp/messages.ftp_problem
tail -f /var/log/secure > /tmp/secure.ftp_problem
2. While both the "tail -f" are running attempt to connect to the ftp server.
3. post the contents of /tmp/messages.ftp_problem, /tmp/messages.ftp_problem, capture of your ftp session, output of "iptables -L".
Thanks friend.
Finally the rule set given by you worked.
Actually my FTP client was wrongly configured. I adjusted the FTP
client settings and it worked.
Many many thanks.
But I need to learn iptables in detail, Can you suggest any book or
any document on the net for that.
If you do not mind can i have your mail id so that i can contact you for any problem regarding linux, iptables and other.
And yes I would like to share my knowledge also. If you have any queries and if it is possible for me to provide you a solution, I will definitely do that.
I'm not sure which books are better (or not) as I haven't actually read any of them, just the training notes of when I was doing my RHCE followed by playing around and breaking it then fixing it. So really unsure which to recommend or stay away from. Maybe there are some suggestions from others in the LQ family?
As for the email address, I'm extremely wary of publishing my email address in web forums, simply to stop any possible spam from those nasty little web trawlers that might be out there. I'll find another way of getting in touch with you though..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.