LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-31-2014, 07:47 AM   #1
postcd
Member
 
Registered: Oct 2013
Posts: 527

Rep: Reputation: Disabled
How to allow FTP in iptables?


Hello,

i tried to:

iptables -I INPUT -p tcp --dport 49152:65534 -j ACCEPT

(that port range i have set in my ProFTPd config file, and proftpd restarted

i login successfully to server via ftp, but when i do some command like "ls", it says:

227 Entering Passive Mode (ipaddresshere)
active mode returns "425 Unable to build data connection: Connection timed out"

i also tried to flush iptables and use these rules: http://www.tuxradar.com/answers/80

but still same

Last edited by postcd; 05-31-2014 at 07:58 AM.
 
Old 05-31-2014, 08:32 AM   #2
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 4,137
Blog Entries: 1

Rep: Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874
Perhaps add the same rule for OUTPUT as well? Depending on what the rest of the firewall does.
 
Old 05-31-2014, 08:42 AM   #3
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 4,137
Blog Entries: 1

Rep: Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874
From your link the newer iptables syntax might replace:
-m state --state

with:
-m conntrack --ctstate

depending on your distro and age of things.

# iptables-save

can hint at what the actual rules in play are on your system.
 
Old 05-31-2014, 08:43 AM   #4
postcd
Member
 
Registered: Oct 2013
Posts: 527

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Shadow_7 View Post
Perhaps add the same rule for OUTPUT as well? Depending on what the rest of the firewall does.
ok, i tried that, and now ruleset is:
Quote:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:49152:65534
ACCEPT tcp -- anywhere anywhere tcp spt:ftp state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:49152:65535 dpts:65534:65535 state ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:49152:65534
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1024:65535 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spts:49152:65535 dpts:65534:65535 state RELATED,ESTABLISHED
but same issue, help please?

Then i flushed the rules and tried again and this:

Quote:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:49152:65534
ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpts:49152:65534
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data state ESTABLISHED
but still dont works. i login ftp, but passive/active, nothing is returned when i do any command.. just timeout. Is iptables kernel ftp module required on a VPS?

Last edited by postcd; 05-31-2014 at 08:48 AM.
 
Old 05-31-2014, 09:14 AM   #5
postcd
Member
 
Registered: Oct 2013
Posts: 527

Original Poster
Rep: Reputation: Disabled
thx, i dont think ip_conntrack and ip_conntrack_ftp is compiled into the kernel. this is a VPS. so FTP cant work without these, no workaround?
 
Old 05-31-2014, 03:45 PM   #6
Shadow_7
Senior Member
 
Registered: Feb 2003
Distribution: debian
Posts: 4,137
Blog Entries: 1

Rep: Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874Reputation: 874
I assume it works if there is no firewall in use?

You might check tcpdump to see what packets are not making it over. On the server and client and compare them. I've only done ftp over port 20 and 21 the defaults. And I'm more of an app guy than a network one.
 
Old 06-01-2014, 07:15 AM   #7
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
The problem is FTP uses two TCP connections - the client makes the initial connection (the command channel)... then the server makes a connection back to the client (the data channel).

Passive mode reverses the order of the establishment of the data channel requiring the client to make a SECOND connection using a port specified by the server through the command channel. This second channel is unique for each client - and makes having a firewall work (for the server) a bit tricky. It has to monitor the command channel to pick up the port number of the data channel, and essentially dynamically create a rule to allow it.

http://www.slacksite.com/other/ftp.html

You can try the rules shown in:

http://unix.stackexchange.com/questi...w-incoming-ftp

Without using passive mode, FTP will not work through a network address translation router.

As you can see from the rules, it opens up the server to a LOT of unused port possibilities.

Last edited by jpollard; 06-01-2014 at 07:19 AM.
 
Old 06-01-2014, 07:26 AM   #8
postcd
Member
 
Registered: Oct 2013
Posts: 527

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by jpollard View Post
Which rules on that page you exactly mean? i think i tried already those in the topmost Ansswer on that page.

Quote:
Without using passive mode, FTP will not work through a network address translation router.
Why active wont work? how to make it work please?
 
Old 06-01-2014, 09:25 PM   #9
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
Quote:
Originally Posted by postcd View Post
Which rules on that page you exactly mean? i think i tried already those in the topmost Ansswer on that page.
The one identified as the best answer (the green check marked one)
Quote:

Why active wont work? how to make it work please?
Active CANNOT work reliably. The problem is that the NAT router blocks the data channel.

Now if the NAT is only one level deep (as in the IP number on the outside of the NAT device is a public IP number, AND the ISP permits) then the NAT can usually be modified to track connection states for ftp. But that means it has to examine every connection, and all the packets associated with the protocol (because of the complication this does, many don't do it). Since the data channel in active mode requires the client to open and listen on a socket for a connection from the FTP server, the NAT device automatically blocks such connections. For any given connection, it doesn't know what the data channel should be. The this is the reason the NAT device has to monitor FTP connections for the transmission of the packet that tells the FTP server what socket to use for the data channel... The NAT device must replace that port with one of its choosing (because there could be two or more FTP sessions, that could use the same port from two (or more) clients). Once that port is identified, then the NAT router can forward the connection actually used to the clients chosen port (which, as I said, may not be the same).

This is a complicated bit of routing... and some routers don't/won't do it.

Last edited by jpollard; 06-01-2014 at 09:27 PM.
 
Old 06-02-2014, 04:49 AM   #10
postcd
Member
 
Registered: Oct 2013
Posts: 527

Original Poster
Rep: Reputation: Disabled
thx for explanation, as mentioned i already tried that rules you advice and it did not worked. the author of that stackexchange answer advices "modprobe ip_conntrack_ftp" but as i said i think its not enabled, and i asked if its possible and how to do without it.
 
Old 06-02-2014, 07:22 AM   #11
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,912

Rep: Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513Reputation: 1513
Quote:
Originally Posted by postcd View Post
thx for explanation, as mentioned i already tried that rules you advice and it did not worked. the author of that stackexchange answer advices "modprobe ip_conntrack_ftp" but as i said i think its not enabled, and i asked if its possible and how to do without it.
You can't do it without. The connection tracking is what is needed to associate the data channel with the correct command channel.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Allow FTP through IPTables NotionCommotion Linux - Newbie 6 01-24-2014 12:33 PM
[SOLVED] FTP Server behind NAT (IPtables) List FTP directories Problem turki_00 Linux - Newbie 5 02-05-2012 08:44 AM
ftp and iptables eantoranz Linux - Networking 1 07-04-2005 11:24 AM
IPTables and FTP - ftp on LAN adamgedde Linux - Newbie 6 10-16-2003 08:11 PM
ftp and ftp port forwarding with IPtables?? FunkFlex Linux - Security 3 04-24-2002 03:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:17 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration