iptables and ftp

DBabo · 12-15-2009, 10:13 PM

Hello,
i'm a bit puzzled. It appears that i can't connect from the same machine where my ftp server runs to self ( ftp server), if i'm going through the external ip. In other words:
server> ftp server - works fine.
server> ftp 68.197.XXX.XXX:210 opens the connection, i can log in but can't retrieve any data from the dirs.

At the same time i can connect to the external ip from another machine on my local network.

Setup:
Ports 200 and 210 are forwarded to 20 and 21 on the server.
vsftpd is running as a separate service on the server.
"server" is the name of the machine.

iptables:
in /etc/sysconfig/iptables-config, last line :

Code:

# To support passive FTP
IPTABLES_MODULES="ip_conntrack_ftp"

snip from the iptables rules:

Code:

#!/bin/sh -x
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

IPT="/sbin/iptables"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT


$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

#FTP
$IPT -A INPUT -p TCP -i eth0 --dport 21 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 --dport 20 -m state --state NEW -j ACCEPT

<skip>

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT

<skip>

$IPT -A OUTPUT -p TCP -o eth0 --dport 200:210 -m state --state NEW -j ACCEPT
<skip>
$IPT -A OUTPUT -j ULOG --ulog-prefix "OUTPUT DROP: "

all this works wonderfully when i connect from another machine on the local net.
once i try to go to the server's ftp using ftp client or firefox (pointing to the external IP)

Code:

...
Dec 15 23:07:42 server OUTPUT DROP:  IN= OUT=eth0 MAC= SRC=192.168.1.204 DST=68.197.XXX.XXX LEN=52 TOS=00 PREC=0x00 TTL=64 ID=38587 CE DF PROTO=TCP SPT=50649 DPT=210 SEQ=1325421182 ACK=1331453252 WINDOW=46 ACK PSH FIN URGP=0

and after i start the service:

Code:

smod | grep conn*
ip_conntrack_ftp       11569  0
ip_conntrack           53281  4 ip_conntrack_ftp,iptable_nat,ip_nat,xt_state
nfnetlink              10713  2 ip_nat,ip_conntrack

I'm not sure why...

datopdog · 12-16-2009, 01:05 AM

This should fix it.

change

Code:

$IPT -A OUTPUT -p TCP -o eth0 --dport 200:210 -m state --state NEW -j ACCEPT

to

Code:

$IPT -A OUTPUT -p TCP -o eth0 -m multiport --dports 200,210 -m state --state NEW -j ACCEPT

DBabo · 12-24-2009, 05:18 PM

Quote:

Originally Posted by datopdog

This should fix it.

change

Code:

$IPT -A OUTPUT -p TCP -o eth0 --dport 200:210 -m state --state NEW -j ACCEPT

to

Code:

$IPT -A OUTPUT -p TCP -o eth0 -m multiport --dports 200,210 -m state --state NEW -j ACCEPT

Datopdog,
thank you for pointing out! i just got to this -sorry about delay. I'll ask my friend to test.
Thank you and Merry Christmas.

elsheepo · 12-24-2009, 05:35 PM

http://connie.slackware.com/~alien/efg/

DBabo · 12-24-2009, 06:25 PM

elsheepo - that's one kick a$$ script. Thank you!

elsheepo · 12-24-2009, 08:46 PM

Dbabo, please, thank the Author, he is a really cool dude. irc.freenode.net / ##slackware look for AlienBOB
and btw, yea that script dose kick a$$. Chalk one up for the slackware users :P

SLACKWARE FTW!!

DBabo · 08-11-2010, 08:16 PM

Quote:

Originally Posted by elsheepo

Dbabo, please, thank the Author, he is a really cool dude. irc.freenode.net / ##slackware look for AlienBOB
and btw, yea that script dose kick a$$. Chalk one up for the slackware users :P

SLACKWARE FTW!!

Just did. thank you