On 2/15/06, Benjamin Smith <lists@xxxxxxxxxxxxxxxxxx> wrote: > I'm having a heck of a time getting vsftpd to work properly. When Iptables are > OFF, it works fine, and when iptables is on, it dies. When I try ftp from a > command line, here's what the session looks looks like: > > > [root@mylaptop ~]# ftp ftp.server.com > Connected to ftp.server.com. > 220 Welcome to My Company FTP > 530 Please login with USER and PASS. > 530 Please login with USER and PASS. > KERBEROS_V4 rejected as an authentication type > Name (ftp.server.com:root): northwind > 331 Please specify the password. > Password: > 230 Login successful. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> ls > 227 Entering Passive Mode (66,81,89,182,135,169) > ftp: connect: No route to host > ftp> FTP uses two TCP connections 21 and 20. If the kernel has connection tracking on this is fairly easy. I don't know the details off hand, or if the kernel support connection tracking as I use ssh/scp/sftp exclusivly. I know you need to load the ip_conntrack_ftp module. If you google you should find the rest of the information you need. > But, what am I doing wrong, here!?!?! Sample from > /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. > ############################################ > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -p tcp -j LOG > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > ############################################ > > Lastly, here's a typical log rejection notice from /var/log/messages > Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= > MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP > LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 > WINDOW=5840 RES=0x00 SYN URGP=0 > > What am I missing? > > -Ben > -- > "The best way to predict the future is to invent it." > - XEROX PARC slogan, circa 1978 > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > http://lists.centos.org/mailman/listinfo/centos > -- Leonard Isham, CISSP Ostendo non ostento.