The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

proftp and iptables issue

Discussion in 'General Discussion' started by pphillips, Dec 6, 2004.

  1. pphillips

    pphillips Well-Known Member

    Joined:
    Nov 14, 2003
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    I have ports 20 and 21, TCP and UDP open in iptables. A user can connect to the FTP server ok, but cannot get a directory listing, "ls" doesn't work. If I turn off iptables completely, it works fine. I read somewhere that if a user is connecting from port 21, they also need to have access to ports > 1024 on the server. http://www.ale.org/archive/ale/ale-2001-07/msg00059.html so I tried opening up ports 1024-9999 from connections on port 21 and I can't get it to work.

    Anyone know how I can get FTP working correctly with iptables?
     
  2. Sinewy

    Sinewy Well-Known Member

    Joined:
    May 15, 2004
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney, Australia
    cPanel Access Level:
    DataCenter Provider
    it could be another rule that is blocking the access..
     
  3. pphillips

    pphillips Well-Known Member

    Joined:
    Nov 14, 2003
    Messages:
    71
    Likes Received:
    0
    Trophy Points:
    6
    here's the output of ./iptables status

    Table: nat
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Table: mangle
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination

    Table: filter
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain RH-Firewall-1-INPUT (2 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp any
    ACCEPT udp -- anywhere anywhere udp dpts:ftp-data:ftp
    ACCEPT tcp -- anywhere anywhere tcp dpts:ftp-data:ftp
    ACCEPT ipv6-crypt-- anywhere anywhere
    ACCEPT ipv6-auth-- anywhere anywhere
    ACCEPT tcp -- anywhere anywhere tcp dpts:2082:2096
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
    ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
    ACCEPT tcp -- anywhere anywhere tcp dpt:10000
    ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
    ACCEPT tcp -- anywhere anywhere tcp dpt:http
    ACCEPT tcp -- anywhere anywhere tcp dpt:https
    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
    REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    If you switch your FTP client to not use passive mode (PASV) you'll probably find it works.

    PASV mode uses ephemeral ports and needs them to be opened for it. You can do this by allowing access to ephemeral ports on an ESTABLISHED connection. This is entirely possible with iptables, and a Google search should help you out.

    Alternatively, install a preconfigured iptables firewall such as APF which does all that for you.
     
Loading...

Share This Page