Can't prevent iptables from blocking vsftpd connections!

  • jammer2552
  • Graduate
  • Graduate
  • User avatar
  • Posts: 139

Post 3+ Months Ago

Hello again, Ozzu community! I'm have a bit of an issue connecting to my newly installed vsftpd server while iptables is running. As soon as service iptables stop is executed and iptables shuts down, my FTP client connects right away! However, with iptables enabled, all I get are connection timeouts while trying to connect. :(

So, here is all the information you should (hopefully) need to diagnose my problem. :)

CentOS 6.3, using vsftpd (obviously) under xinetd. As I stated above, I have connected to the FTP server while iptables is disabled, so I know I have these two working together just fine.

iptables:
Code: [ Select ]
Table: filter
Chain INPUT (policy ACCEPT)
num target   prot opt source        destination    
1  ACCEPT   all -- 0.0.0.0/0      0.0.0.0/0      state RELATED,ESTABLISHED
2  ACCEPT   icmp -- 0.0.0.0/0      0.0.0.0/0     
3  ACCEPT   all -- 0.0.0.0/0      0.0.0.0/0     
4  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      state NEW tcp dpt:22
5  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp dpt:80
6  REJECT   all -- 0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited
7  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp dpt:21
8  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp spt:20

Chain FORWARD (policy ACCEPT)
num target   prot opt source        destination    
1  REJECT   all -- 0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target   prot opt source        destination    
  1. Table: filter
  2. Chain INPUT (policy ACCEPT)
  3. num target   prot opt source        destination    
  4. 1  ACCEPT   all -- 0.0.0.0/0      0.0.0.0/0      state RELATED,ESTABLISHED
  5. 2  ACCEPT   icmp -- 0.0.0.0/0      0.0.0.0/0     
  6. 3  ACCEPT   all -- 0.0.0.0/0      0.0.0.0/0     
  7. 4  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      state NEW tcp dpt:22
  8. 5  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp dpt:80
  9. 6  REJECT   all -- 0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited
  10. 7  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp dpt:21
  11. 8  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp spt:20
  12. Chain FORWARD (policy ACCEPT)
  13. num target   prot opt source        destination    
  14. 1  REJECT   all -- 0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited
  15. Chain OUTPUT (policy ACCEPT)
  16. num target   prot opt source        destination    


ip_conntrack_ftp is loaded.

I've tried several different rules concerning the vsftpd processes. The one listed above is the simplest one (no -m state --state NEW, etc.), with no difference in results.

Cheers to a good weekend!

-James
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • jammer2552
  • Graduate
  • Graduate
  • User avatar
  • Posts: 139

Post 3+ Months Ago

Well, I solved it.

For those who are noobs with iptables (like me), make sure that any REJECT rules, like the one included by default below, are after your accept rules, otherwise the REJECT rule takes precedence.

Code: [ Select ]
-A INPUT -j REJECT --reject-with icmp-host-prohibited


Now to enjoy my weekend!
  • Zealous
  • Guru
  • Guru
  • User avatar
  • Posts: 1241
  • Loc: Sydney

Post 3+ Months Ago

this looks like a great contribution to the site, nice post. :)

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 36 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.