Find the answer to your Linux question:
Results 1 to 6 of 6
Hi, I'm having trouble applying iptables rules on vsftpd. Now if I turn off iptables, vsftpd works fine. Code: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2004
    Posts
    93

    iptables for vsftpd


    Hi,
    I'm having trouble applying iptables rules on vsftpd. Now if I turn off iptables, vsftpd works fine.
    Code:
    iptables -L
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    RH-Firewall-1-INPUT  all  --  anywhere             anywhere
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    RH-Firewall-1-INPUT  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain RH-Firewall-1-INPUT (2 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere            icmp any
    ACCEPT     ipv6-crypt--  anywhere             anywhere
    ACCEPT     ipv6-auth--  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:smtp
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:netbios-ssn
    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:microsoft-ds
    ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-ns
    ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:netbios-dgm
    ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:6881
    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
    As you can see, i'm using Fedora's own security configuration. Can anyone tell me what the problem is? Thanks.

  2. #2
    Just Joined!
    Join Date
    Jan 2004
    Posts
    93
    Ok, so now the problem is solved by doing this:
    1. add following in /etc/modprobe.conf
    Code:
    alias ip_conntrack ip_conntract_ftp ip_nat_ftp
    2. add following in /etc/rc.local
    Code:
    /sbin/modprobe ip_conntract
    /sbin/modprobe  ip_conntrack_ftp
    /sbin/modprobe  ip_nat_ftp
    I actually don't know what the problem was. So if anyone wants to point that out, it would be appreciated. Thanks.

  3. #3
    Just Joined!
    Join Date
    Jan 2004
    Posts
    93
    Ok, i'm back again. For some reason, it doesn't work again Help me please!

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Sep 2004
    Posts
    9
    I have the same problem as you.

    After I run "modprobe ip_conntrack_ftp"

    Everything works well for my vsftpd.

    For you IP table, try adding ftp-data in as wll. its port 20. Required for Active FTP. Port 21 is for passive ftp.

    Cheers,

    Fruity....

  6. #5
    Just Joined!
    Join Date
    Feb 2008
    Posts
    1
    Hey um...I don't know much about iptables, but port 21 is the connection port (required for any connection vsftp), port 20 is the active ftp data port, and vsftp's default passive data ports are any other two adjacent ports that are open. you can specify which passive ports in the /etc/vsftpd.conf file - add the lines : pasv_min_port=<port number>
    pasv_max_port=<port number>

    Note: this is on openSuSE 10.2

    visit this page for vsftp.conf commands
    Manpage of VSFTPD.CONF

    Hope this helps.

  7. #6
    Just Joined!
    Join Date
    Feb 2009
    Posts
    1

    Smile not to do so much

    edit /etc/sysconfig/iptables-config and modify the line
    Code:
    IPTABLES_MODULES=""
    to the one below
    Code:
    IPTABLES_MODULES="ip_conntract_ftp"
    This automates the loading of module(s) when ever you restart iptables

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •