Boryan Yotov wrote:
ludi wrote:
I have a ftp server and run a script of iptables on the server (not a
nat-gateway). The follow is the script:
iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD
iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --dport 53 -j
ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 22 -j
ACCEPT
iptables -A INPUT -p udp -i eth0 -s 0/0 -d $HOME_ADDR --sport 53 -j
ACCEPT
iptables -A INPUT -p tcp -i eth0 -s 0/0 -d $HOME_ADDR --dport 80 -j
ACCEPT
iptables -A INPUT -p icmp -i eth0 -s 0/0 -d $HOME_ADDR -m limit
--limit 6/m --limit-burst 6 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o eth0 -s $HOME_ADDR -j ACCEPT
iptables -P OUTPUT DROP
Now, my question is that I can not connect the ftp server with pass
mode until I stop the iptables. I had tried the ip_conntrack_ftp.o
module, but it didnt effect.
Could anyone give me some idea?
Do you have TLS or SSL encryption over the FTP's server command channel?
Ok, since you are sure there is no TLS or SSL encryption on the command
channel, then it is probably the firewall setup script, which you use.
I suppose the script above is the complete one and it is ran on the FTP
server itself. If this is the case, then I see no definition for TCP/UDP
port 21 (where the FTP server's command channel is listening on). If
port 21 is closed (and your proftpd is not configured to listen on other
command port), then you won't be able to connect to the FTP server at all.
Othersides, since you mention that PASV mode is not working, then I
guess you already have command channel connection open between both
client and server? Or not?
And, please reply to the list (it makes it easier to track).
