From: Martijn Lievaart <m@rtij.nl>
To: Richard <netfilter@ghz.fr>
Cc: netfilter@lists.netfilter.org
Subject: Re: IPtables settings to access a backup FTP
Date: Sat, 18 Aug 2007 22:16:28 +0200 [thread overview]
Message-ID: <46C7539C.60002@rtij.nl> (raw)
In-Reply-To: <46C743CB.801@ghz.fr>
Richard wrote:
> Hello, this is my first message so I hope I'm doing this right ! :)
>
> I've got iptables setup and running well on my server and up to now
> I've not had any problems, however I have just installed a backup
> system which needs to connect by FTP to a distant server.
>
> With my firewall disactivated all works fine, however with the
> firewall activated when I use the "ls" command of the debian ftp
> command line package (CWD) I get:
>
> 200 ok then a long wait then :
> 421 Service not available, remote server has closed connection.
>
> I've tried this on two different FTP's and it only works if the
> firewall is disactivated.
>
> One server is a plesk server but the server I need to connect to I do
> not know much about, with filezilla on my pc I've managed to connect
> to it with both FTP active and FTP passive so I guess it can do both.
>
> On my server I just do :
>
> ftp ftp.server.com
> username
> password
>
> So I'm not sure if it connects as passive or active.
>
> These are the ports that I have got open :
>
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
You don't need this (see below), but it is wrong anyhow. Active ftp uses
SOURCE port 20, not destination port 20. Most guides on the inuhnet
thingie get this wrong.
> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
Do you also want to accept FTP connections? You don't need this to make
outgoing connections.
>
> -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
This is nonsense.
> -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
This is the only rule you need to make outgoing FTP connections.
>
> Which ports do you suggest I should open to connect to this FTP server ?
>
It's not only about static ports. FTP uses dynamic ports as well that
must be tracked by a helper. Modprobe nf_contrack_ftp (ip_contrack_ftp
on older kernels) and all should be well.
HTH,
M4
next prev parent reply other threads:[~2007-08-18 20:16 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-18 19:08 IPtables settings to access a backup FTP Richard
2007-08-18 20:16 ` Martijn Lievaart [this message]
2007-08-18 20:25 ` Richard
2007-08-18 20:29 ` Martijn Lievaart
2007-08-18 22:36 ` Richard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46C7539C.60002@rtij.nl \
--to=m@rtij.nl \
--cc=netfilter@ghz.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox