Problem with opening ports for ftp in iptables

Hi all,  If I have INPUT chain set to drop by default, and ports 20 and 21 are open, ftp doesn't work right.  I've also noticed the SSH password prompt takes a long time to show up. When I accept all input again, ftp works, and the login pops up right away. The problem with ftp is that it connects, but doesn't show any data (no directory listing once it lists). I'm using a default installation and settings (except anonymous login is off) for vsftp.  The only input rules I have are 20, 21, and my ssh port open and I set an accept all on the lo interface.  My output is set to accept.

Does anyone know what I'm doing wrong or why this isn't working?
LVL 2
Matt KendallTech / Business owner operatorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
questions:

1) is vsftpd configured to allow passive ftp?  if yes, you will need to update iptables_config with the conntrack_ftp

2) is sshd_config configured to do DNS lookups?  if yes and they are not resolving, then that will also cause a delay
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gheistCommented:
You should stop checking reverse DNS, that will cure waits.
nobody ever will connect to your port 20
you need either to load nf_conntrack_ftp ur agree between iptables, ephemeral ports and ftp server which ports to use for incoming PASV connections
0
Kent WSr. Network / Systems AdminCommented:
Do you have port 53 outgoing open so you can do recursive lookups?
See if you can resolve anything from within the machine while your iptables rules are in place, especially your OUTPUT rules.
0
Matt KendallTech / Business owner operatorAuthor Commented:
Thanks, both problems are solved now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.