can't connect via ftp on my lan....this is my iptables config....
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
can't connect via ftp on my lan....this is my iptables config....
hi, i can't access ftp in my lan. I have 2 hosts. 1 with linux is the gateway on eth0, other is my personal pc connected to eth1. I configured the iptables so:
# Generated by iptables-save v1.2.9 on Mon Jan 24 11:45:26 2005
*filter
:INPUT DROP [53:5664]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [857:85837]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s xxxxxxxx/xxxxxxxxx -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Jan 24 11:45:26 2005
# Generated by iptables-save v1.2.9 on Mon Jan 24 11:45:26 2005
*nat
:PREROUTING ACCEPT [88:5432]
:POSTROUTING ACCEPT [31:4334]
:OUTPUT ACCEPT [122:12260]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jan 24 11:45:26 2005
....why the ftp is not functioning? May be i need configuring some iptables command for eth1?
note: i'm italian linux beginner....thanx for any help!
A number of ftp servers run in PASV mode, which means you have to open up several higher numbered ports as well as 21. On my system (ProFTP) I can lock the passive port range so I've open 50000-51000 in the firewall as well.
If you're doing this you probably want to look into chrooting ftp as a security precaution.
OK, lets see if I have this straight....The FTP server has two ethernet cards, eth0 (which is your Internet interface) and eth1, which is your LAN interface. You want to allow FTP access from your LAN only (eth1).
If this is the case, the problem with your firewall is with the -i flag. So in your firewall you have
that was my intention thanks ....i will prove it....even if i already proved that......in other forum people tell me to add rules in the forward chain.....i'll tell you
Last edited by loboautoma; 01-25-2005 at 11:45 AM.
you also need to open port 20 and and ports below 1024 as far as I know
a pc connects at port 21 but after that the server and the client will communicate at a higher port >1023
i have an ftp server to and it didn't work until i opened up those ports
so i have something like this in my firewall script:
iptables -A INPUT -i eth1 -p tcp --dport 1024:65000 -j ACCEPT
You have got to be kidding. I would argue that is no longer a firewall, but rather a TCP packet annoyance system.
There is absolutely no reason to have that many ports open for one program. Have a read through your servers documentation and find out how to narrow that down. If your server doesn't allow you to restrict the PASV ports, I would find a new server.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.