Firewall problem while connecting ftp

ramecare · 09-13-2011, 01:38 AM

Dear all,
Error: Connection timed out
Error: Failed to retrieve directory listing

I have configured iptables firewall rule in linux server,The firewall is enabled and i have enabled the port 21 open for ftp but i was not able to access ftp and i have checked tat the ftp port is running in 21 only,i searched in google for solution but i was not able to get it,can any one help me on this issue.

The below given is my iptables configuration file.

[root@ram ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Tue Sep 13 11:40:31 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [639194:1105072488]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -s 69.33.55.89 -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -s 102.88.211.8 -p tcp -m state --state NEW -m tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -s 69.33.55.89 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -s 102.88.211.8 -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Sep 13 11:40:31 2011

Thanks in advance,

zackwasa · 09-13-2011, 03:33 AM

Try opening port 20 as well. Also please tell us what error you get when trying to connect via FTP

RMI

rodrifra · 09-13-2011, 04:20 AM

I think you should add a rule like

-A RH-Firewall-1-INPUT -m conntrack -ctstate RELATED,ESTABLISHED -j ACCEPT

ramecare · 09-13-2011, 06:51 AM

When i try through logging ftp in command promt i was able to login but through GUI like filezilla and internet explorer i was not able to login,can any one help me on this.The below error iam getting while connecting the server through ftp

Status: Connecting to 88.25.66.15:21...
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 2.0.5)
Command: USER ecare
Response: 331 Please specify the password.
Command: PASS *******
Response: 230 Login successful.
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: EPRT
Response: EPSV
Response: MDTM
Response: PASV
Response: REST STREAM
Response: SIZE
Response: TVFS
Response: 211 End
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/opt/apps"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (78,31,69,165,124,248)
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

Thanks

zackwasa · 09-14-2011, 04:19 AM

Did you open port 20? You need to configure your FTP server to use a certain port range for passive connections and then open that port range in the firewall as well.

Since you are using vsftpd you need to add this to vsftpd.conf:

Code:

pasv_max_port=51000
pasv_min_port=50000

and for the firewall:

Code:

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 50000:51000 -j ACCEPT

RMI