My FTP server is a CentOS 5.4 with VSFTPD.
When I try to ls after connecting to my server using FTP I get this :
ftp> ls
229 Entering Extended Passive Mode (|||12206|)
ftp: Can't connect to `000.000.000.000': Connection refused
500 Illegal PORT command.
425 Use PORT or PASV first.
I can do mkdir without any problem.
When I connect from the same server to my ftp server I have no problem.
Port 20 and 21 are open in my iptable. How can I fix that?
Thanks!!
UPDATE :
telnet myftpserver.com 20
Trying 000.000.000.000...
telnet: connect to address 000.000.000.000: Connection refused
telnet: Unable to connect to remote host
and
[root@internal vsftpd]# /sbin/iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
SSH_CHECK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:33988
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain SSH_CHECK (1 references)
target prot opt source destination
all -- 0.0.0.0/0 0.0.0.0/0 recent: SET name: SSH side: source
DROP all -- 0.0.0.0/0 0.0.0.0/0 recent: UPDATE seconds: 60 hit_count: 4 name: SSH side: source
-
The problem is related to the fact that Passive FTP uses ports other than 20 and 21. Read about it here: http://slacksite.com/other/ftp.html
Usually I will setup a port range in the vsftpd.conf file for the Passive FTP and then open these ports on the firewall.
Also, I'm mostly a freebsd guy but I'm pretty sure there is a way on linux to dynamically open the FTP PASV ports but someone else will have to chime in on that one. I'll look and see what I can find.
EDIT:
First hit on google: http://www.cyberciti.biz/faq/iptables-passive-ftp-is-not-working/
Better explanation: http://www.sns.ias.edu/~jns/wp/2006/01/12/iptables-connection-tracking-ftp/
Warner : For netfilter and passive FTP in Linux, make sure the `ip_conntrack_ftp` module is loaded or compiled in if monolith. `lsmod` to list and `modprobe` to load. Ha, TFA says that too.einstiien : @warner, Thank you, yeah that's what I found in that second link I posted.benjisail : What is doing `ip_conntrack_ftp`?einstiien : What it does is monitor the FTP traffic for the PORT command being sent out to the client. When it sees this command it looks at the port that vsftpd is opening (a random port > 1024) and then dynamically opens this port in the firewall.benjisail : So i fix my problem by doing this : `# vi /etc/sysconfig/iptables-config` `IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp"` `# /sbin/service iptables restart`einstiien : You also need to add the rules mentioned in the link above, a better explanation is here: http://www.sns.ias.edu/~jns/wp/2006/01/12/iptables-connection-tracking-ftp/From einstiien
0 comments:
Post a Comment