On December 18, 2003 08:07 pm, Bob Smith wrote: > Pete, > > I've replaced the rpm, and restarted the server, and I'm still locked > out. So I want to try the addition of the line in iptables. However, > I'm not sure of what $EXT_IF means. I'm assuming that $FTP_PORTS are > ports 21 and 20, and that they go in the user rules I have defined. Is > EXT_IF the external interface, and is that value something like eth0 or lo? > > Also, would a reboot help on this? > > Thanks, > > -Bob > > Pete Nesbitt wrote: > >On December 18, 2003 06:56 am, Bob Smith wrote: > > > > > >That sounds like you've found the cause and solution. If not, (or anyway) > > you should check your logs, and also add a LOG entry to the firewall DENY > > or REJECT line to see whats happening at the firewall. > > > >Depending on your exact rules, add something like this, just blow your FTP > >ACCEPT Rules, and ABOVE the RETURN line in a user chain, as in: > >ftp accept rules... > >$IPTABLES -A FTP_CHAIN -p tcp -m state --state NEW -i $EXT_IF \ > > --dport $FTP_PORTS -j LOG --log-prefix "NetF FTP Failure: " > >... RETURN if in user chain > >...then the drop line later in rules Bob, You should probably have a quick look at tcpwrappers (/etc/hosts.allow & hosts.deny) and /etc/init.d/vsftp to make sure it looks sane. I like to use variables in scripts, even for things that should be static, so at the top of my iptables I define things like EXT_IF which is the external interface on the firewall, in this case, yes it is likely your eth0. I don't actually have ftp (use sftp or scp via ssh) but I just stuck that in to represent a variable that you may have predefined. So if you are not getting to a login, then you are failing on port 21, If you are running iptables on the same machine, you are not using a custom chain and the internet is accessed via eth0, then the log line would look like: $IPTABLES -A INPUT -p tcp -m state --state NEW -i $EXT_IF \ --dport 21 -j LOG --log-prefix "NetF FTP Failure: " (if you fail after successful login, change the "20 to a "20:21" for a port range) If you put it following your rules that allow ftp, anything that targets that port but fails will be logged with the quoted string as something to grep. You may even want to put it above the allow ftp rules incase it is PAM or TCPwrappers causing a problem further along the line. tcpdump may provide some info, if you know the ip or host of a test system you are using you can look at traffic with: tcpdump host <ip or host name> For testing, maybe wrap the rules with logs: $IPTABLES -A INPUT -p tcp -m state --state NEW -i $EXT_IF \ --dport 21 -j LOG --log-prefix "NetF FTP Attempt: " ...your ftp access allow rules... $IPTABLES -A INPUT -p tcp -m state --state NEW -i $EXT_IF \ --dport 21 -j LOG --log-prefix "NetF FTP Failure: " oh, if you are using the gui tool to manage your firewall, these instructions are probably wrong as the format, which I am not too familiar with, is different. -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
