| View previous topic :: View next topic |
| Author |
Message |
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
 Posted: Sun Feb 02, 2014 10:02 am Post subject: PASV ftp - I misconfigured my iptables config file |
 |
|
I googled around the world and tried a lot, but I cannot fetch files from Gentoo mirrors using passive ftp if this ip tables script is activated: http://bpaste.net/show/174745/
Anybody sees the error ?
Last edited by toralf on Sun Feb 02, 2014 4:07 pm; edited 2 times in total |
|
| Back to top |
|
 |
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sun Feb 02, 2014 12:12 pm Post subject: |
|
|
You have:
| Code: | | $IPT -t filter -P OUTPUT DROP |
I would log that, before dropping it  Edit: You are logging it. Anything in the log?
You're probably dropping the 2nd of the 2 outgoing passive FTP requests. |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
| Posted: Sun Feb 02, 2014 12:29 pm Post subject: |
|
|
The log shows | Code: | Feb 2 10:59:20 MYFW4_OUT= wlp3s0 192.168.178.21 209.132.183.64 TCP 40248 54673 DF SYN
Feb 2 10:59:24 MYFW4_OUT= wlp3s0 192.168.178.21 209.132.183.64 TCP 40248 54673 DF SYN
Feb 2 13:25:38 MYFW4_OUT= wlp3s0 192.168.178.21 209.132.183.64 TCP 56566 13318 DF SYN
Feb 2 13:25:39 MYFW4_OUT= wlp3s0 192.168.178.21 209.132.183.64 TCP 56566 13318 DF SYN
|
and this matches this point in time : | Code: | $ wget ftp://sources.redhat.com/pub/lvm2/LVM2.2.02.105.tgz --directory-prefix=/usr/portage/distfiles/
--2014-02-02 13:25:36-- ftp://sources.redhat.com/pub/lvm2/LVM2.2.02.105.tgz
=> ‘/usr/portage/distfiles/LVM2.2.02.105.tgz.2’
Resolving sources.redhat.com... 209.132.183.64
Connecting to sources.redhat.com|209.132.183.64|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /pub/lvm2 ... done.
==> SIZE LVM2.2.02.105.tgz ... 1374752
==> PASV ... |
But I did not understand why the rules forbid passive. BTW thx for the link , I tried this http://slacksite.com/other/ftp-appendix2.html from that page, but from the log it seems, that I do block the OUTPUT, so the INPUT chain was already fine before, or ? |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Sun Feb 02, 2014 12:44 pm Post subject: |
|
|
See the URL I gave - in passive FTP, there's 2 connections. You're blocking the 2nd connection attempt from the client.
Hopefully just need this (specifying the helper, to make "ESTABLISHED,RELATED" work), based on info:
| Code: | | $IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -m helper --helper ftp -p tcp --sport 1024: --dport 1024: -j ACCEPT |
|
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3922
Location: Hamburg
|
| Posted: Sun Feb 02, 2014 4:33 pm Post subject: |
|
|
Thx for your help - pointed me to this missing command : | Code: | echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
|
Before I had however to run | Code: | | modprobe nf_conntrack_ftp |
which let me wonders why b/c all other modules are loaded automatically |
|
| Back to top |
|
|
|
Networking & Security
