IPtables settings to access a backup FTP
m at rtij.nl
Sat Aug 18 22:16:28 CEST 2007
> Hello, this is my first message so I hope I'm doing this right ! :)
> I've got iptables setup and running well on my server and up to now
> I've not had any problems, however I have just installed a backup
> system which needs to connect by FTP to a distant server.
> With my firewall disactivated all works fine, however with the
> firewall activated when I use the "ls" command of the debian ftp
> command line package (CWD) I get:
> 200 ok then a long wait then :
> 421 Service not available, remote server has closed connection.
> I've tried this on two different FTP's and it only works if the
> firewall is disactivated.
> One server is a plesk server but the server I need to connect to I do
> not know much about, with filezilla on my pc I've managed to connect
> to it with both FTP active and FTP passive so I guess it can do both.
> On my server I just do :
> ftp ftp.server.com
> So I'm not sure if it connects as passive or active.
> These are the ports that I have got open :
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
You don't need this (see below), but it is wrong anyhow. Active ftp uses
SOURCE port 20, not destination port 20. Most guides on the inuhnet
thingie get this wrong.
> -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
Do you also want to accept FTP connections? You don't need this to make
> -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
This is nonsense.
> -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
This is the only rule you need to make outgoing FTP connections.
> Which ports do you suggest I should open to connect to this FTP server ?
It's not only about static ports. FTP uses dynamic ports as well that
must be tracked by a helper. Modprobe nf_contrack_ftp (ip_contrack_ftp
on older kernels) and all should be well.
More information about the netfilter