From mboxrd@z Thu Jan 1 00:00:00 1970 From: Boryan Yotov Subject: Re: Ftp (pass mode ) and Iptables Date: Thu, 05 Jan 2006 11:18:03 +0100 Message-ID: <43BCF25B.8000409@prosyst.com> References: <43BCE38B.5080007@prosyst.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <43BCE38B.5080007@prosyst.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Boryan Yotov wrote: > ludi wrote: > >> I have a ftp server and run a script of iptables on the server (not a >> nat-gateway). The follow is the script: >> >> iptables -F OUTPUT >> iptables -F INPUT >> iptables -F FORWARD >> >> >> >> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j >> ACCEPT >> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j >> ACCEPT >> iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j >> ACCEPT >> iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j >> ACCEPT >> iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit >> --limit 6/m --limit-burst 6 -j ACCEPT >> iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT >> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> iptables -P INPUT DROP >> >> >> iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT >> iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT >> iptables -P OUTPUT DROP >> Now, my question is that I can not connect the ftp server with pass >> mode until I stop the iptables. I had tried the ip_conntrack_ftp.o >> module, but it didnt effect. >> Could anyone give me some idea? > > > Do you have TLS or SSL encryption over the FTP's server command channel? > > > Ok, since you are sure there is no TLS or SSL encryption on the command channel, then it is probably the firewall setup script, which you use. I suppose the script above is the complete one and it is ran on the FTP server itself. If this is the case, then I see no definition for TCP/UDP port 21 (where the FTP server's command channel is listening on). If port 21 is closed (and your proftpd is not configured to listen on other command port), then you won't be able to connect to the FTP server at all. Othersides, since you mention that PASV mode is not working, then I guess you already have command channel connection open between both client and server? Or not? And, please reply to the list (it makes it easier to track).