On Fri, 03 Jul 2015 15:55:53 -0400 Louis Wust <louisw...@fastmail.fm> wrote:
what a terrific reply ! > I think you are asking two netfilter/iptables questions here: > 1) How to "clear" an iptables configuration so all traffic is allowed? > 2) How to allow FTP traffic through netfilter/iptables? > > Let's address each question in turn. > > ##### > 1. Allowing all traffic, for debugging purposes > ##### > > attempt. Deleting rules does not change a chain's policy. Try this on > the machine which has the firewall, and then try connecting to vsftpd > from another machine on the local network: > > iptables -F > iptables -P INPUT ACCEPT connection refused. so it seems i have to stop there and get that figured out. just to recap. machine 1 :firewall. i can ftp into machine 2 machine 2: no firewall. i cannot ftp into machine 1 i tried the iptables commands as you explained above, and still get connection refused. here's the really interesting part. when logged in on machine 1. ftp localhost: works ftp machine1: connection refused ??!! this is really strange... Brian > > But of course, as soon as you've verified that vsftpd is working, reload > some reasonable firewall configuration using iptables-restore(8) or > similar as quickly as possible! Nothing good will come of having an > empty INPUT chain with a default ACCEPT policy. > > ##### > 2. Allowing FTP traffic > ##### > > First, if you're not familiar with the concepts, read up a little on > active FTP versus passive FTP: > > http://slacksite.com/other/ftp.html > > I'll describe how to get passive FTP working on the server, because > unlike with active FTP, passive FTP doesn't require any special firewall > configuration on the client side. In particular, if you intend to > connect to your FTP server from somewhere on the Internet, passive mode > will be much easier to use. > > Making passive FTP work will require some advanced usage of the > netfilter "conntrack" module and its FTP helper. For more information, > read this: > > https://home.regit.org/netfilter-en/secure-use-of-helpers/ > > Armed with this knowledge, let's get started. > > Punch a hole in the server's firewall to accept connections on port 21 > (the FTP "command" port), by running this command: > > iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT > > Now, to allow FTP data packets in passive mode, configure the firewall > to accept any packet which the conntrack module and its FTP helper have > determined to be RELATED to an established connection: > > iptables -A INPUT -m conntrack --ctstate RELATED -j ACCEPT > > You might already have a rule like this. Use "iptables -L" to find out. > > And now load the kernel module which provides the FTP helper for the > netfilter conntrack module. The first of the following commands loads > the module immediately, while the second ensures that the module is > loaded each time the system boots in the future: > > modprobe nf_conntrack_ftp > echo "nf_conntrack_ftp" >> /etc/modules > > By default, vsftpd is already configured to allow passive mode FTP, and > passive mode FTP is supported out-of-the-box by many FTP clients, > including the Debian standard package "ftp" and the file manager in > Windows. To use passive mode in the Debian ftp client, try running the > "passive" command as follows: > > $ ftp > ftp> open localhost > Connected to localhost . > 220 (vsFTPd 3.0.2) > Name (localhost:user): anonymous > 331 Please specify the password. > Password: none > 230 Login successful. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> passive > Passive mode on. > ftp> > > ##### > Conclusion > ##### > > Of course, if you want things to be easier and more secure, just use > SFTP instead ;) > > The following rule would be sufficient for SSH, SFTP, SCP, etc.; no need > to add any kernel modules or set up additional rules: > > iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT > > Louis Wust > > On Wed, Jul 1, 2015, at 17:15, bri...@aracnet.com wrote: > > i've set up vsftpd on a couple of machines > > > > one has a firewall, and one does not. > > > > ftp's to the machine without the firewall work fine. > > > > ftp's to the the machine with the firewall, still from the internal > > network, do not. > > > > easy to test, right ? simply disable the firewall and see if it works. > > > > iptables -F > > > > but i still get connection refused. > > > > any suggestions ? > > > > Thanks, > > > > Brian > > > > > > -- > > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > > listmas...@lists.debian.org > > Archive: > > https://lists.debian.org/20150701141544.0b0a6...@cedar.deldotd.com > > > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150703193633.7776f...@cedar.deldotd.com
