LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-24-2015, 08:59 AM   #1
jzoudavy
Member
 
Registered: Apr 2012
Distribution: Ubuntu, SUSE, Redhat
Posts: 188

Rep: Reputation: Disabled
need help making sense of this iptable rule that's blocking ftp


Hi experts

I got the following set of rules:

Code:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state 
RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW 
tcp dpt:telnet
ACCEPT tcp -- anywhere anywhere state NEW 
tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with 
icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp 
ctstate ESTABLISHED /* Allow ftp connections on port 21 */

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with 
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
But for some reason, it blocks FTP on port 21. which is weird because the line where it is suppose to allow FTP. And ping and ssh are still allowed.

Can anyone help me make sense of why that is?

Thanks
 
Old 08-24-2015, 10:50 AM   #2
rknichols
Senior Member
 
Registered: Aug 2009
Distribution: Rocky Linux
Posts: 4,792

Rep: Reputation: 2218Reputation: 2218Reputation: 2218Reputation: 2218Reputation: 2218Reputation: 2218Reputation: 2218Reputation: 2218Reputation: 2218Reputation: 2218Reputation: 2218
Why do you have a "ctstate ESTABLISHED" qualifier on that rule. That's not going to allow new connections, and packets for ESTABLISHED connections were already allowed in the "state RELATED,ESTABLISHED" rule above.

And please, when posting iptables rule sets, include the "-v" option with "--list" (or "-L"), or else just post the output from "iptables save". Without that, the "in" and "out" interface qualifiers are not shown, making the ruleset sometimes incomprehensible.
 
Old 08-24-2015, 12:04 PM   #3
jzoudavy
Member
 
Registered: Apr 2012
Distribution: Ubuntu, SUSE, Redhat
Posts: 188

Original Poster
Rep: Reputation: Disabled
ok thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Does this firewall rule make sense? yzT! Linux - Networking 1 03-03-2014 12:44 PM
GUI Firewall FTP Rule / IPTABLE!!! kaspro Red Hat 10 07-12-2013 07:23 AM
[SOLVED] iptable rule amartlk Linux - Newbie 2 12-18-2011 10:36 PM
iptable how many rule iptable can manage toure32 Linux - Networking 1 05-13-2010 04:34 AM
iptable rule vinaytp Linux - Newbie 1 10-26-2009 01:39 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration