[TriLUG] FTP can't get through iptables (was: iptables for webserver)

Sam Folk-Williams sam.folkwilliams at gmail.com
Sun Jun 19 22:28:27 EDT 2005


Thanks Joe, and every one else who has replied...

There's definitely something strange going on here. I still haven't
figured it out, but it does not seem to be any of the "normal" things
you would think. Concerning IPtables, this is from iptables -L -n:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:20

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED

As you can see, 20 and 21 are both opened, and the related,established
rule is in effect.

In terms of command line vs GUI weirdness (one works and one doesn't)
all I can say is that when I stop iptables, all clients can connect no
problem. We I start iptables, I can get through on some clients (i.e.
the command line) and not others, i.e. Windows Explorer (Which the
customer uses in this situation).

I also tried adding a rule to iptables that opens ALL ports to the
client's ipaddress... and that did nothing. This is definitely a head
scratcher... any one has any ideas please let me know!

Thanks.

Sam
On 6/19/05, Mack.Joseph at epamail.epa.gov <Mack.Joseph at epamail.epa.gov> wrote:
> Joseph Mack PhD, High Performance Computing & Scientific Visualisation
> LMIT, Supporting the EPA Research Triangle Park, NC 919-541-0007 Federal
> Infrastructure Contact-Ravi Nair 919-541-5467 - nair.ravi at epa.gov,
> Federal Visualization  Contact - Joe Retzer, Ph.D. 919-541-4190 -
> retzer.joseph at epa.gov
> 
> trilug-bounces at trilug.org wrote on 06/13/2005 08:29:45 PM:
> 
> > Using a GUI FTP client, either on Windows or Linux, either
> > in Passive mode
> > or not, the client successfully makes a connection and
> > authenticates against
> > the server. After that initial connection, it hangs and
> > times out.
> 
> this usually means that you have the command port connection
> OK (port 21) but not the dataport (20 for active ftp, anything
> for passive). You need to add a rule with "RELATED"
> in it to allow the 2nd port through (don't know specifics,
> go look on an iptables HOWTO).
> 
> 
> > The weird thing is that if you log in via FTP on the
> > command line from any
> > client it works totally fine.
> 
> if it's an iptables problem, then the command line wouldn't work either,
> unless one was active (command probably) and the other passive
> (gui probably)
> 
> for more than you probably want to know about ftp look at this
> 
> http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.services.multi-port.html#ftp
> 
> Joe
> 
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>



More information about the TriLUG mailing list