V
V
Vitaly2019-08-06 12:50:26
linux
Vitaly, 2019-08-06 12:50:26

Where is the error in iptables rules?

Due to a misconfiguration of iptables, the ftp connection fails:

Status:      	Connecting to 100.100.100.100:21...
Status:      	Connection established, waiting for welcome message...
Status:      	Initializing TLS...
Status:      	Verifying certificate...
Status:      	TLS connection established.
Status:      	Logged in
Status:      	Retrieving directory listing...
Command:	PWD
Response: 	257 "/" is the current directory
Command:	TYPE I
Response: 	200 Type set to I
Command:	PASV
Response: 	227 Entering Passive Mode (100,100,100,100,157,29).
Command:	MLSD
Error:        	The data connection could not be established: ECONNREFUSED - Connection refused by server

But I don't understand where I made a mistake, what other port should I open? When I remove all rules from the chains and set the policy to ACCEPT, ftp works correctly. Those. the problem is in the firewall.
Normal FTP uses port 21(TCP/UDP) for control and port 20(TCP/UDP) for data. FTP over TLS (FTPS) uses port 990(TCP/UDP) for control and port 989(TCP/UDP) for data

All these ports are open, here is my config:
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 48122 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

-A INPUT -p tcp -m multiport --dports 110,143,993,995,587,465,25 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p udp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 1500  -j ACCEPT
-A INPUT -p tcp --dport 3306  -j ACCEPT
-A INPUT -p tcp --dport 53  -j ACCEPT
-A INPUT -p udp --dport 53  -j ACCEPT
-A INPUT -p tcp -m multiport --dports 20,990,989 -j ACCEPT
-A INPUT -p udp -m multiport --dports 20,990,989 -j ACCEPT

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

--policy INPUT DROP
--policy FORWARD DROP

COMMIT

Where did I go wrong?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Andrey Shatokhin, 2019-08-06
@vitalysokolov

If you need ftp - google "iptables passive ftp"
Better migrate to sftp.

Z
Zzzz9, 2019-08-06
@Zzzz9

Normal FTP uses port 21(TCP/UDP) for control and port 20(TCP/UDP) for data. FTP over TLS (FTPS) uses port 990(TCP/UDP) for control and port 989(TCP/UDP) for data

-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p udp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT

Where is port 20?
But I saw
-A INPUT -p tcp -m multiport --dports 20,990,989 -j ACCEPT
-A INPUT -p udp -m multiport --dports 20,990,989 -j ACCEPT

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question