iptables for vsftpd

[savage_cabbage]

Hi,
I'm having trouble applying iptables rules on vsftpd. Now if I turn off iptables, vsftpd works fine.

Code:

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:6881
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

As you can see, i'm using Fedora's own security configuration. Can anyone tell me what the problem is? Thanks.

[savage_cabbage]

Ok, so now the problem is solved by doing this:
1. add following in /etc/modprobe.conf

Code:

alias ip_conntrack ip_conntract_ftp ip_nat_ftp

2. add following in /etc/rc.local

Code:

/sbin/modprobe ip_conntract
/sbin/modprobe  ip_conntrack_ftp
/sbin/modprobe  ip_nat_ftp

I actually don't know what the problem was. So if anyone wants to point that out, it would be appreciated. Thanks.

[savage_cabbage]

Ok, i'm back again. For some reason, it doesn't work again Help me please!

[Fruits]

I have the same problem as you.

After I run "modprobe ip_conntrack_ftp"

Everything works well for my vsftpd.

For you IP table, try adding ftp-data in as wll. its port 20. Required for Active FTP. Port 21 is for passive ftp.

Cheers,

Fruity....

[jnr2820]

Hey um...I don't know much about iptables, but port 21 is the connection port (required for any connection vsftp), port 20 is the active ftp data port, and vsftp's default passive data ports are any other two adjacent ports that are open. you can specify which passive ports in the /etc/vsftpd.conf file - add the lines : pasv_min_port=<port number>
pasv_max_port=<port number>

Note: this is on openSuSE 10.2

visit this page for vsftp.conf commands
Manpage of VSFTPD.CONF

Hope this helps.

[lohit24]

edit /etc/sysconfig/iptables-config and modify the line

Code:

IPTABLES_MODULES=""

to the one below

Code:

IPTABLES_MODULES="ip_conntract_ftp"

This automates the loading of module(s) when ever you restart iptables