passive ftp behind firewall
Hi
I have a ftp box behind a firewall (iptables). I'm using vsftpd and it works fine on local network but when accessing from outside (internet) isn't working. Vsftpd listens on port 543 and I've also opened ports 12000:12003 for passive mode. pasv_min_port=12000 pasv_max_port=12003 On router I've made following rule: iptables -A INPUT -i 192.168.7.128 -m state --state NEW,ESTABLISHED,RELATED -p TCP -s 81.196.50.75 -d 192.168.7.128 --dport 12000:12003 -j ACCEPT but sadly it doesn't work. On ftp machine I've stopped firewall. Any advices will be welcome. Thanks. |
Can you post the output of iptables -L from your router, and your vsftpd.conf file?
|
iptables -L :
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imap ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:imaps ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:2212 ACCEPT tcp -- 82.77.20.205 anywhere tcp dpt:ssh ACCEPT tcp -- conextess2.iasi.rdsnet.ro anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination vsftpd.conf: local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES listen=YES pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES #userlist_deny=NO ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem listen_port=543 #userlist_enable=YES userlist_file=/etc/vsftpd/user_list local_enable=YES write_enable=YES chroot_list_enable=YES chroot_list_file=/etc/vsftpd/chroot_list chroot_local_user=YES check_shell=NO pasv_min_port=12000 pasv_max_port=12003 |
Ok you just need an iptable rule for FTP with connection tracking.
This one already shows that you have connection tracking setup. Code:
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED Code:
iptables -I INPUT 6 -p tcp --dport 21 -m state --state NEW -j ACCEPT |
All times are GMT -5. The time now is 07:16 AM. |