FC3: How to set iptables rules for ftp passive mode

Thanks for reply

I did it, and restarted both of network and iptables. But I still got the same complains.

ok don't worry and do this
#setup
select Firewall Configuration
select Run tools
select Firewall enable and then select customize
select FTP
select ok
run the command
#/etc/init.d/iptables restart
now check it

I'm sorry, now only active mode works.  Passive mode doesn't works no matter firewall enabled or not.

1. Are you trying to ftp from the box that runs the fw ?
2. Are you trying to ftp to the box that runs the fw ?
or
3. Are you trying to ftp through the box that runs the fw, from a host to a server.

from which OS u r trying to access the ftp server

#
iptables -A FORWARD -p tcp --sport 1024: --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 20:21 --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT

# and/or
iptables -A INPUT -p tcp --sport 1024: --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20:21 --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT

I usually have

iptables -P OUTPUT -j ACCEPT

and in the input rules
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT


and it works passive or active.

you do not need forward unless you are DNATing to an internal ftp server.

Thanks for all reply.

>1. Are you trying to ftp from the box that runs the fw ?
Yes. I'm on a fc3 box. But I can't disable the fw

>2. Are you trying to ftp to the box that runs the fw ?
Yes. It's Red Hat Enterprise Linux AS release 3 (Taroon Update 8) with iptables enabled, I don't have root right on that box. And the ftp server is vsFTPd 1.2.1

My situation is

Both of fc3 box and the ftp server are in the LAN but on the different network segment.  
I have tried all above methods, none of them worked.
I disabled the fw on my box, but it still failed to let passive work.
I ftp from WINDOWS XP box, both of active and passive mode work fine.
Route table infomation posted on Code Snippet.

any ideas?

Here are route table infomation on my fc3 box
 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.14.9.0       *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
default         10.14.9.1       0.0.0.0         UG    0      0        0 eth0
                                              

1:
2:
3:
4:
5:
6:
7:

so you were moving the firewall ON THE CLIENT :-)

we were thinking on the SERVER firewall.

if you can ftp from windows and from linux no, then it can be because of the ports are limited to a range.

I do this when I need to limit ports used by mi programs on the client:

# Add this to your rc.local so it is run at each startup:
echo 1024 32768 > /proc/sys/net/ipv4/ip_local_port_range
echo 1024       > /proc/sys/net/ipv4/tcp_max_syn_backlog

This way new tcp connections will work like in a windows machine (cuting by half the max number of connections you can have at any tine, from 64K to 32K, which is A LOT specially for a client machine)

Once you do that (again, on the client), try to reconnect to the server and use passive mode to see if it works.

Regards

I'm sorry. It' still didn't work. Should I do it on both of server side and client side? I just do it on client side. I don't have root right on server side.

> I don't have root right on server side
then you're not doing any changes on the server, in particular the firewall, do you?
Hence you first need to ensure that your server allows ftp as you need it.

When you ftp what is the error you get ?
  A. Timeout ?
  B. Password prompt ?  If you get this far port 21 is open, the controll connection.
      You can verify with  #telnet   ip_rh 21
       And see if you can connect.
   C. If you enter password and cant transfer files then it could be the data connection that does not open port 20.

I can logon the ftp server. While I use ls to get the list, it showed ""227 Entering Passive Mode (10,36,6,44,180,141)  ftp: connect: No route to host". I have to turn off passive mode, then I can get the list and transfer files. I disabled the firewall, the issue still exist.

Here are a post I found

# firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
modprobe ip_conntrack
modprobe ip_conntrack_ftp

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Rest of rules

I did it following above steps. It drops my network connection. I have to disable the iptables and restart networking.

let me ask

is the other ftp server on 10.36.6.44 ? because if not, you will not be able to connect using passive mode unless you setup the ftp server to be behind a firewall

The situation is

1. server is on 10.36.6.44
2. I'm on 10.14.9.23.  I can access the server under both linux box and windows box
3. on the windows box, the ftp works fine with both passive and active mode
4. on the linux box, the ftp only works with active mode, even I disabled the firewall  of the linux box.
5. I did all of above methods, none of them works for me.

I think it maybe some default rules just like under proc/sys/net/ipv4 or something like it stop me, but I don't know. It's very strange that all the methods found on the Internet didn't work for me. I just want to know the reason.

what ftp client are you using?

if you are using ftp, please try with pftp -or-more advanced console clients like ncftp or lftp (I think ncftp is the best console ftp client), for graphic ftp clients there is FileZilla or gftp.

would you mind to try  with these? client firewall turned off please.

Is the windows box you tested from also in the 10.36.6.xx subnet ?

>Is the windows box you tested from also in the 10.36.6.xx subnet ?
No. I use dual OS, the windows box in 10.14.9.x

>would you mind to try  with these? client firewall turned off please.
I use the fc3 native ftp client. I tried ncftp, the same result , the passive mode sitll failed, but it switched to active mode automaticly

Connecting to 10.36.6.44...
(vsFTPd 1.2.1)
Logging in...
Login successful.
Logged in to 10.36.6.44.
ncftp / > dir
connect failed: No route to host.
Falling back to PORT instead of PASV mode.
drwxr-xr-x    2 0        0         4096   Feb 24  2006   pub

gftp also showed "227 Entering Passive Mode (10,36,6,44,150,101) Cannot create a data connection: No route to host"

I does not make sense to me.

Your ftp connects on port 21, and you log in.
Then when it tries to open the passive mode connection to the same server you get "No route to host"
I does sound like a firewall or acl is only allowing port 21 through outbound.

Can you open a 2nd console and do a packet trace.  
1.  When you do the dir/ls see if there is packets leaving your host to the server.
2. Check for any ICMP traffic from routers or remote server.

I assume your lan connection is on eth0
# tcpdump  -i eth0 -f "host 10.36.6.44 or proto \icmp"

Here are the output

[root@beks-m04 jerry]# /usr/sbin/tcpdump  -i eth0 -f "host 10.36.6.44 or proto \icmp"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:57:11.897450 IP 10.14.9.23.37143 > 10.36.6.44.ftp: S 3987484028:3987484028(0) win 5840 <mss 1460,sackOK,timestamp 27900156 0,nop,wscale 2>
16:57:11.929742 IP 10.36.6.44.ftp > 10.14.9.23.37143: S 3608314924:3608314924(0) ack 3987484029 win 5792 <mss 1460,sackOK,timestamp 546773206 27900156,nop,wscale 0>
16:57:11.929784 IP 10.14.9.23.37143 > 10.36.6.44.ftp: . ack 1 win 1460 <nop,nop,timestamp 27900157 546773206>
16:57:11.929809 IP 10.36.6.44.ftp > 10.14.9.23.37143: P 1:21(20) ack 1 win 5792 <nop,nop,timestamp 546773207 27900157>
16:57:11.929835 IP 10.14.9.23.37143 > 10.36.6.44.ftp: . ack 21 win 1460 <nop,nop,timestamp 27900159 546773207>
16:57:11.898055 IP 10.14.9.23.37143 > 10.36.6.44.ftp: P 1:14(13) ack 21 win 1460 <nop,nop,timestamp 27900187 546773207>
16:57:11.898391 IP 10.36.6.44.ftp > 10.14.9.23.37143: . ack 14 win 5792 <nop,nop,timestamp 546773209 27900187>
16:57:11.898470 IP 10.36.6.44.ftp > 10.14.9.23.37143: P 21:59(38) ack 14 win 5792 <nop,nop,timestamp 546773209 27900187>
16:57:11.898579 IP 10.14.9.23.37143 > 10.36.6.44.ftp: P 14:32(18) ack 59 win 1460 <nop,nop,timestamp 27900187 546773209>
16:57:11.898953 IP 10.36.6.44.ftp > 10.14.9.23.37143: P 59:97(38) ack 32 win 5792 <nop,nop,timestamp 546773209 27900187>
16:57:11.938716 IP 10.14.9.23.37143 > 10.36.6.44.ftp: . ack 97 win 1460 <nop,nop,timestamp 27900228 546773209>
16:57:13.780708 IP 10.14.9.23.37143 > 10.36.6.44.ftp: P 32:44(12) ack 97 win 1460 <nop,nop,timestamp 27902070 546773209>
16:57:13.781131 IP 10.36.6.44.ftp > 10.14.9.23.37143: P 97:131(34) ack 44 win 5792 <nop,nop,timestamp 546773398 27902070>
16:57:13.813390 IP 10.14.9.23.37143 > 10.36.6.44.ftp: . ack 131 win 1460 <nop,nop,timestamp 27902102 546773398>
16:57:14.666791 IP 10.14.9.23.37143 > 10.36.6.44.ftp: P 44:56(12) ack 131 win 1460 <nop,nop,timestamp 27902956 546773398>
16:57:14.672418 IP 10.36.6.44.ftp > 10.14.9.23.37143: P 131:154(23) ack 56 win 5792 <nop,nop,timestamp 546773487 27902956>
16:57:14.694345 IP 10.14.9.23.37143 > 10.36.6.44.ftp: . ack 154 win 1460 <nop,nop,timestamp 27902984 546773487>
16:57:14.694389 IP 10.14.9.23.37143 > 10.36.6.44.ftp: P 56:62(6) ack 154 win 1460 <nop,nop,timestamp 27902984 546773487>
16:57:14.694753 IP 10.36.6.44.ftp > 10.14.9.23.37143: P 154:173(19) ack 62 win 5792 <nop,nop,timestamp 546773489 27902984>
16:57:14.748289 IP 10.14.9.23.37143 > 10.36.6.44.ftp: . ack 173 win 1460 <nop,nop,timestamp 27903038 546773489>
16:57:16.245446 IP 10.14.9.23.37143 > 10.36.6.44.ftp: P 62:68(6) ack 173 win 1460 <nop,nop,timestamp 27904535 546773489>
16:57:16.245967 IP 10.36.6.44.ftp > 10.14.9.23.37143: P 173:220(47) ack 68 win 5792 <nop,nop,timestamp 546773644 27904535>
16:57:16.246029 IP 10.14.9.23.37143 > 10.36.6.44.ftp: . ack 220 win 1460 <nop,nop,timestamp 27904535 546773644>
16:57:16.246153 IP 10.14.9.23.53120 > 10.36.6.44.36679: S 4007317256:4007317256(0) win 5840 <mss 1460,sackOK,timestamp 27904536 0,nop,wscale 2>
16:57:16.246548 IP 10.36.6.44 > 10.14.9.23: icmp 68: host 10.36.6.44 unreachable - admin prohibited

Thank you for your comments.

But why the ftp server didn't block the data connection of the windows box ftp?  On windows box, the ftp works for active and passive mode fine.