问题
I installed a ProFTPD server on a CentOS6. If i make ftp localhost, i can connect correctly, but if i try from outside, i obtain the message "no route to host". But there is a route to host because i am connected via SSH.
I tried adding the following iptable rules:
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow passive inbound connections"
and restarted both proftpd and iptables services. What can i do to troubleshoot this problem?
回答1:
In order to allow FTP you need the following rules on the server:
Allow control connections initiated by the client to port 21, as follows:
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21" iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"For active mode, allow data connections initiated by the server from port 20, as follows:
iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20" iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"For passive mode, allow data connections initiated by the client on unprivileged ports:
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections" iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
The ordinary conntrack modules should correctly track when a RELATED data connection is established in active mode, however you might need to load the nf_conntrack_ftp module for correctly tracking when such connections are established in passive mode:
- Check if it's loaded with
lsmod | grep nf_conntrack_ftp. - Load it with
modprobe nf_conntrack_ftp.
Alternatively, you may replace the RELATED state with the NEW state, which is less secure, but would definitely get the job done.
This link supplies a concise summary of the rationale for the above rules.
来源:https://stackoverflow.com/questions/26659223/appropriate-iptables-rules-for-an-ftp-server-in-active-passive-mode