Back To Unix / Linux Forum

Can't prevent iptables from blocking vsftpd connections!

  • jammer2552
  • Graduate
  • Graduate
  • User avatar
  • Joined: Jul 23, 2006
  • Posts: 139
  • Status: Offline

Post October 6th, 2012, 8:17 am

Hello again, Ozzu community! I'm have a bit of an issue connecting to my newly installed vsftpd server while iptables is running. As soon as service iptables stop is executed and iptables shuts down, my FTP client connects right away! However, with iptables enabled, all I get are connection timeouts while trying to connect. :(

So, here is all the information you should (hopefully) need to diagnose my problem. :)

CentOS 6.3, using vsftpd (obviously) under xinetd. As I stated above, I have connected to the FTP server while iptables is disabled, so I know I have these two working together just fine.

iptables:
Code: [ Select ]
Table: filter
Chain INPUT (policy ACCEPT)
num target   prot opt source        destination    
1  ACCEPT   all -- 0.0.0.0/0      0.0.0.0/0      state RELATED,ESTABLISHED
2  ACCEPT   icmp -- 0.0.0.0/0      0.0.0.0/0     
3  ACCEPT   all -- 0.0.0.0/0      0.0.0.0/0     
4  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      state NEW tcp dpt:22
5  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp dpt:80
6  REJECT   all -- 0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited
7  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp dpt:21
8  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp spt:20

Chain FORWARD (policy ACCEPT)
num target   prot opt source        destination    
1  REJECT   all -- 0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target   prot opt source        destination    
  1. Table: filter
  2. Chain INPUT (policy ACCEPT)
  3. num target   prot opt source        destination    
  4. 1  ACCEPT   all -- 0.0.0.0/0      0.0.0.0/0      state RELATED,ESTABLISHED
  5. 2  ACCEPT   icmp -- 0.0.0.0/0      0.0.0.0/0     
  6. 3  ACCEPT   all -- 0.0.0.0/0      0.0.0.0/0     
  7. 4  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      state NEW tcp dpt:22
  8. 5  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp dpt:80
  9. 6  REJECT   all -- 0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited
  10. 7  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp dpt:21
  11. 8  ACCEPT   tcp -- 0.0.0.0/0      0.0.0.0/0      tcp spt:20
  13. Chain FORWARD (policy ACCEPT)
  14. num target   prot opt source        destination    
  15. 1  REJECT   all -- 0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited
  17. Chain OUTPUT (policy ACCEPT)
  18. num target   prot opt source        destination    


ip_conntrack_ftp is loaded.

I've tried several different rules concerning the vsftpd processes. The one listed above is the simplest one (no -m state --state NEW, etc.), with no difference in results.

Cheers to a good weekend!

-James
  • Anonymous
  • Bot
  • No Avatar
  • Joined: 25 Feb 2008
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post October 6th, 2012, 8:17 am

  • jammer2552
  • Graduate
  • Graduate
  • User avatar
  • Joined: Jul 23, 2006
  • Posts: 139
  • Status: Offline

Post October 6th, 2012, 1:02 pm

Well, I solved it.

For those who are noobs with iptables (like me), make sure that any REJECT rules, like the one included by default below, are after your accept rules, otherwise the REJECT rule takes precedence.

Code: [ Select ]
-A INPUT -j REJECT --reject-with icmp-host-prohibited


Now to enjoy my weekend!
  • Zealous
  • Guru
  • Guru
  • User avatar
  • Joined: Apr 15, 2011
  • Posts: 1195
  • Loc: Sydney
  • Status: Offline

Post October 7th, 2012, 12:59 am

this looks like a great contribution to the site, nice post. :)

Page 1 of 1

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 52 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 2011 Unmelted, LLC. Ozzu® is a registered trademark of Unmelted, LLC.