[Last Call] Learn how to a build a cloud-first strategyRegister Now


iptables needs to allow ftp data for openvpn

Posted on 2010-01-08
Medium Priority
Last Modified: 2013-12-06
I have a RHEL 5.4 server running openvpn.  The server routes most traffic correctly.  I need the iptables rule(s) that will allow ftp data from any host on to any host on  I believe it is the high port ranges that need to be open 1024:65535.... port 20 is open.
Question by:SRG041808
  • 7
  • 6

Expert Comment

ID: 26291447
iptables -A FORWARD --src --dst -p tcp --dport ftp

Hope this helps,


Author Comment

ID: 26293217
This one didnt work....

I'm going to try to tweak it... maybe "input" instead of "forward"

this is the error i still receive

ftp> dir
500 Illegal PORT command.
425-Can't build data connection for,49513
425 connect to network object rejected


Accepted Solution

bplant earned 1000 total points
ID: 26297677
I forgot to put "-j ACCEPT" on the end. Try this instead:

iptables -I FORWARD --src --dst -p tcp --dport ftp -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.


Author Comment

ID: 26340815
I also tried to reverse the source and destination network addresses but it still didnt work....

Alternatively I would be ok with a table rule that allows ftp to specified hosts and   ...  Those are the only machines that i need access to for ftp....

NOTE: I'm getting the same error still....

Expert Comment

ID: 26343627
Is the FTP helper module loaded? Post the output of the lsmod command.

Author Comment

ID: 26343664
It appears so...  I posted all of the output in case theres more info needed

Module                  Size  Used by
ip_conntrack_ftp       11569  0
ip_conntrack_netbios_ns     6977  0
xt_state                6209  19
iptable_filter          7105  1
ipt_MASQUERADE          7617  1
iptable_nat            11077  1
ip_nat                 21101  2 ipt_MASQUERADE,iptable_nat
ip_conntrack           53281  6 ip_conntrack_ftp,ip_conntrack_netbios_ns,xt_state,ipt_MASQUERADE,iptable_nat,ip_nat
nfnetlink              10713  2 ip_nat,ip_conntrack
ip_tables              17029  2 iptable_filter,iptable_nat
netloop                10945  0
netbk                  78273  0 [permanent]
ipt_REJECT              9665  0
blktap                118373  2 [permanent]
blkbk                  22753  0 [permanent]
bridge                 53853  0
autofs4                29253  3
hidp                   23105  2
rfcomm                 42457  0
l2cap                  29505  10 hidp,rfcomm
bluetooth              53925  5 hidp,rfcomm,l2cap
tun                    21441  2
lockd                  63209  0
sunrpc                145533  2 lockd
ip6t_REJECT             9409  1
xt_tcpudp               7105  34
ip6table_filter         6849  1
ip6_tables             18053  1 ip6table_filter
x_tables               17349  8 xt_state,ipt_MASQUERADE,iptable_nat,ip_tables,ipt_REJECT,ip6t_REJECT,xt_tcpudp,ip6_tables
ib_iser                37145  0
rdma_cm                35577  1 ib_iser
ib_cm                  39853  1 rdma_cm
iw_cm                  13125  1 rdma_cm
ib_sa                  39349  2 rdma_cm,ib_cm
ib_mad                 37717  2 ib_cm,ib_sa
ib_core                63557  6 ib_iser,rdma_cm,ib_cm,iw_cm,ib_sa,ib_mad
ib_addr                11845  1 rdma_cm
iscsi_tcp              19785  0
bnx2i                  40413  0
cnic                   26317  1 bnx2i
uio                    14921  1 cnic
cxgb3i                 43657  0
cxgb3                 168601  1 cxgb3i
8021q                  24649  1 cxgb3
libiscsi_tcp           21957  2 iscsi_tcp,cxgb3i
libiscsi2              42181  5 ib_iser,iscsi_tcp,bnx2i,cxgb3i,libiscsi_tcp
scsi_transport_iscsi2    37709  7 ib_iser,iscsi_tcp,bnx2i,cxgb3i,libiscsi2
scsi_transport_iscsi     6085  1 scsi_transport_iscsi2
dm_multipath           24909  0
scsi_dh                11713  1 dm_multipath
video                  21193  0
hwmon                   7365  0
backlight              10049  1 video
sbs                    18533  0
i2c_ec                  9025  1 sbs
button                 10705  0
battery                13637  0
asus_acpi              19289  0
ac                      9157  0
ipv6                  267617  111 ip6t_REJECT,cnic
xfrm_nalgo             13381  1 ipv6
crypto_api             12609  1 xfrm_nalgo
parport_pc             29157  0
lp                     15849  0
parport                37641  2 parport_pc,lp
floppy                 54949  0
scb2_flash              8525  0
mtdcore                 9989  1 scb2_flash
chipreg                 7361  1 scb2_flash
i2c_piix4              13133  0
ide_cd                 40161  0
serial_core            24641  0
i2c_core               23745  2 i2c_ec,i2c_piix4
hpilo                  13389  0
pcspkr                  7105  0
tg3                   116421  0
cdrom                  36577  1 ide_cd
serio_raw              10693  0
dm_raid45              67273  0
dm_message              6977  1 dm_raid45
dm_region_hash         15809  1 dm_raid45
dm_mem_cache            9921  1 dm_raid45
dm_snapshot            23013  0
dm_zero                 6209  0
dm_mirror              24521  0
dm_log                 14657  3 dm_raid45,dm_region_hash,dm_mirror
dm_mod                 63225  11 dm_multipath,dm_raid45,dm_snapshot,dm_zero,dm_mirror,dm_log
cciss                  68549  4
sd_mod                 25281  0
scsi_mod              141973  9 ib_iser,iscsi_tcp,bnx2i,cxgb3i,libiscsi2,scsi_transport_iscsi2,scsi_dh,cciss,sd_mod
ext3                  125001  3
jbd                    57065  1 ext3
uhci_hcd               25677  0
ohci_hcd               24937  0
ehci_hcd               34253  0


Expert Comment

ID: 26343880
Looks like it is loaded. Are you using encrypted FTP? The FTP helper module doesn't work with encrypted FTP. Also, try using passive mode FTP.

You could also add the following rule at the end of the FORWARD chain to determine why packets are not allowed through:

iptables -A FORWARD -j LOG --log-prefix " logged packet "

Do you have a firewall on the other end of the VPN that might be blocking the traffic?

Author Comment

ID: 26344048
I'm not using encrypted FTP....  Just basic windows command line FTP....  

when I try to enter passive mode I get this error and have to "CTRL+C" because it locks up.... also the same error when I use "ls" command

ftp> quote pasv
227 Entering Passive Mode (192,168,1,5,227,55)
ftp> dir
500 Illegal PORT command.
Aborting any active data connections...

I have added the logging rule to my iptables.....

There is no firewall on the client side...  windows firewall or otherwise......

on the server side there is a pix 506e and then the iptables on the server itself....

openvpn is supposed to route all traffic through port 1194 ......

I'm attaching my current iptables config so you can see what im working with...

now that I have added the logging how do I view the logs??

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
#let's set up NAT
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5670 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 33333 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1023 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 7906 -j ACCEPT
#custom commands below
#trying to get ftp data to work
-A FORWARD -j LOG --log-prefix " logged packet "
-I INPUT --source -j ACCEPT
-I FORWARD --src --dst -p tcp --dport ftp -j ACCEPT
-I FORWARD --src --dst -p tcp --dport ftp -j ACCEPT
#below commands work, these are needed by openvpn
-A RH-Firewall-1-INPUT -i tap0 -j ACCEPT
-A FORWARD -i tap0 -j ACCEPT
-A OUTPUT -o tap0 -j ACCEPT

Open in new window


Expert Comment

ID: 26344690
The logs should show up in /var/log/messages

I've noticed  that you have no drop rules and no drop policy set on the forward and input chains which means your firewall is accepting all traffic regardless of the rules you add. I don't think it's an issue with your firewall.

Author Comment

ID: 26344958
There was too much other stuff in /var/log/messages .... created a new iptables log file.... and after attempting an ftp session there was no new input... If its not a firewall issue where should I look?  

everything works fine when connected to the lan...

could it not be forwarding correctly?


Expert Comment

ID: 26345007
I think your best bet might be to use tcpdump on both your LAN interface (eth0?) and on your openvpn interface (tap0?). This should show you exactly what traffic is going where.

Author Comment

ID: 26345135
I'll try that
LVL 16

Assisted Solution

Blaz earned 1000 total points
ID: 26347290
If you are using passive ftp you need to have two rules:

iptables -I FORWARD -s -d -p tcp --dport 20 -j ACCEPT
iptables -I FORWARD -s -d -p tcp --dport 21 -j ACCEPT

For active ftp you can leave the rule as bplant suggested:
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

For testing purposes you could also enable all connections between networks and
iptables -I FORWARD -s -d -j ACCEPT
iptables -I FORWARD -s -d -j ACCEPT

If this does not work then the problem is not the firewall.

Author Closing Comment

ID: 31674599
I used the 2 rules to allow all connections between the networks..... A thrid party ftp client can connect beautifully... something about windows command line ftp just will not work "pasv" or anything.... I can change directories but cannot see the contents of the directory or send or receive files.....

Doing a tcpdump shows the connection between (ftp server) and server) only... not a single packet between vpn clients ( network) and the ftp server.....with both the windows ftp client and the third party ftp client...

weird i know...

thanks for the help... it looks like a non firewall issue... Its an application issue

additional thanks to bplant for the logging command

I hope that people who are having actual firewall issues will benefit from this thread...

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question