I think you are asking two netfilter/iptables questions here: 1) How to "clear" an iptables configuration so all traffic is allowed? 2) How to allow FTP traffic through netfilter/iptables?
Let's address each question in turn. ##### 1. Allowing all traffic, for debugging purposes ##### On Wed, Jul 1, 2015, at 17:15, bri...@aracnet.com wrote: > easy to test, right ? simply disable the firewall and see if it works. > iptables -F > but i still get connection refused. According to the iptables(8) manpage, running the "iptables -F" command is "equivalent to deleting all the rules one by one" from every chain in the table. Since no table is selected, this defaults to the "filter" table. My guess is that your INPUT chain uses the DROP policy, which is normally a good idea but which is interfering with your debugging attempt. Deleting rules does not change a chain's policy. Try this on the machine which has the firewall, and then try connecting to vsftpd from another machine on the local network: iptables -F iptables -P INPUT ACCEPT But of course, as soon as you've verified that vsftpd is working, reload some reasonable firewall configuration using iptables-restore(8) or similar as quickly as possible! Nothing good will come of having an empty INPUT chain with a default ACCEPT policy. ##### 2. Allowing FTP traffic ##### First, if you're not familiar with the concepts, read up a little on active FTP versus passive FTP: http://slacksite.com/other/ftp.html I'll describe how to get passive FTP working on the server, because unlike with active FTP, passive FTP doesn't require any special firewall configuration on the client side. In particular, if you intend to connect to your FTP server from somewhere on the Internet, passive mode will be much easier to use. Making passive FTP work will require some advanced usage of the netfilter "conntrack" module and its FTP helper. For more information, read this: https://home.regit.org/netfilter-en/secure-use-of-helpers/ Armed with this knowledge, let's get started. Punch a hole in the server's firewall to accept connections on port 21 (the FTP "command" port), by running this command: iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT Now, to allow FTP data packets in passive mode, configure the firewall to accept any packet which the conntrack module and its FTP helper have determined to be RELATED to an established connection: iptables -A INPUT -m conntrack --ctstate RELATED -j ACCEPT You might already have a rule like this. Use "iptables -L" to find out. And now load the kernel module which provides the FTP helper for the netfilter conntrack module. The first of the following commands loads the module immediately, while the second ensures that the module is loaded each time the system boots in the future: modprobe nf_conntrack_ftp echo "nf_conntrack_ftp" >> /etc/modules By default, vsftpd is already configured to allow passive mode FTP, and passive mode FTP is supported out-of-the-box by many FTP clients, including the Debian standard package "ftp" and the file manager in Windows. To use passive mode in the Debian ftp client, try running the "passive" command as follows: $ ftp ftp> open localhost Connected to localhost . 220 (vsFTPd 3.0.2) Name (localhost:user): anonymous 331 Please specify the password. Password: none 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> passive Passive mode on. ftp> ##### Conclusion ##### Of course, if you want things to be easier and more secure, just use SFTP instead ;) The following rule would be sufficient for SSH, SFTP, SCP, etc.; no need to add any kernel modules or set up additional rules: iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT Louis Wust On Wed, Jul 1, 2015, at 17:15, bri...@aracnet.com wrote: > i've set up vsftpd on a couple of machines > > one has a firewall, and one does not. > > ftp's to the machine without the firewall work fine. > > ftp's to the the machine with the firewall, still from the internal > network, do not. > > easy to test, right ? simply disable the firewall and see if it works. > > iptables -F > > but i still get connection refused. > > any suggestions ? > > Thanks, > > Brian > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > https://lists.debian.org/20150701141544.0b0a6...@cedar.deldotd.com > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/1435953353.1911730.314720561.03097...@webmail.messagingengine.com
