ftp firewall problem[FIXED]

calef13 · 2007-08-15 10:03:22

Hi,

I am trying to set up vsftpd on a home server running arch. Everything works fine but I can only log in with iptables disabled or else the directory listing (list command) fails. I have opened port 20 and 21 and have connect from port 20=YES in vsftpd.conf and I cannot figure out what is wrong.

Below is my iptables -L:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             //<----Allow all local loopback connections
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

SSH works fine and I have 'vsftpd:ALL' in my /etc/hosts.allow

Can anyone tell me what I am doing wrong with the firewall? I am pretty new to iptables.

Calef13

Last edited by calef13 (2007-08-15 18:23:35)

hongy19 · 2007-08-15 14:48:35

I meet the same question.
when vsftpd is in standalone mode ,and tcp_wrapper suppot.
user can login, but list command fail.

but if vsftpd in standalone mode with no tcp_wrapper suppot , everything is OK.

something like this

[md@Arch ~]$ ftp -vd 192.168.1.100
Connected to 192.168.1.100.
220 (vsFTPd 2.0.5)
Name (192.168.1.100:md): anonymous
---> USER anonymous
421 Timeout.
Login failed.
---> SYST
No control connection for command: Success
ftp> quit

Last edited by hongy19 (2007-08-15 14:53:38)

calef13 · 2007-08-15 16:46:23

Unfortunately, disabling tcp wrappers doesn't fix my problem, so I'm doubly sure it's only the firewall, but my firewall is fine afaik, I followed the guide on the wiki to an extent, simplifying it down. I guess blocking icmp messages isn't a great idea, but they aren't vital and aren't contributing to the problem as far as I can tell, wireshark isn't showing any icmp messages.

Anyone else have any advice to offer?

Calef13

jerem · 2007-08-15 18:02:21

You need the ftp conntrack helper module.

I dont remember the exact name but it may be ip_conntrack_ftp

calef13 · 2007-08-15 18:23:17

That fixed it, thanks so much this has been bugging me for ages. Where did you find that out? I should look into this more. BTW, I think we should add this to the wiki, what do you think?

Calef13

Arch Linux

#1 2007-08-15 10:03:22

ftp firewall problem[FIXED]

#2 2007-08-15 14:48:35

Re: ftp firewall problem[FIXED]

#3 2007-08-15 16:46:23

Re: ftp firewall problem[FIXED]

#4 2007-08-15 18:02:21

Re: ftp firewall problem[FIXED]

#5 2007-08-15 18:23:17

Re: ftp firewall problem[FIXED]

Board footer