适用于处于主动\被动模式的FTP服务器的iptables规则 [英] Appropriate iptables rules for an FTP server in active \ passive mode
问题描述
我在CentOS6上安装了ProFTPD服务器。
如果我使FTP本地主机,我可以正确连接,但如果我从外面尝试,我获得消息没有路由到主机。但是有一条路由到主机,因为我通过SSH连接。
我尝试添加以下iptable规则:
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m注释--comment允许端口21上的ftp连接
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m注释--comment允许端口21上的ftp连接
iptables -A INPUT -p tcp -m tcp -dport 20 -m conntrack -ctstate ESTABLISHED,RELATED -j ACCEPT -m注释--comment允许端口20上的ftp连接
iptables -A OUTPUT - p tcp -m tcp -dport 20 -m conntrack -ctstate ESTABLISHED -j ACCEPT -m注释--comment允许端口20上的ftp连接
iptables -A INPUT -p tcp -m tcp --sport 1024:--dport 1024:-m conntrack --ctstate ESTABLISHED -j ACCEPT -m注释--comment允许被动入站连接
iptables -A OUTPUT -p tcp -m tcp --sport 1024: - 出口102 4:-m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment允许被动入站连接
并重新启动proftpd和iptables服务。
我能做些什么来排除这个问题?
为了允许FTP,您需要以下规则服务器:
$ b
-
允许客户端向端口21发起控制连接,如下所示:
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --commentAllow ftp端口21上的连接
iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m注释--comment允许端口21上的ftp连接
-
对于主动模式,允许服务器从端口20发起数据连接,如下所示:
iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctctate RELATED,ESTABLISHED -j ACCEPT -m comment --comment允许端口20上的ftp连接
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment允许端口20上的ftp连接
-
对于被动模式,允许客户端在非特权端口上发起数据连接:
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024:-m conntrack --ctctate RELATED,ESTABLISHED -j ACCEPT -m注释--commentAllow passive inbound connections
iptables -A OUTPUT -p tcp -m tcp --sport 1024: - dport 1024:-m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment允许被动入站连接
当 RELATED $ c $>时,普通
conntrack
c>数据连接在主动模式下建立,但您可能需要加载 nf_conntrack_ftp
模块以正确跟踪何时在被动模式下建立此类连接:
- 检查是否加载了
lsmod | grep nf_conntrack_ftp
。 - 使用
modprobe nf_conntrack_ftp
加载它。 ul>
或者,您可以用 NEW
替换
此链接提供了上述规则基本原理的简要摘要。
I installed a ProFTPD server on a CentOS6. If i make ftp localhost, i can connect correctly, but if i try from outside, i obtain the message "no route to host". But there is a route to host because i am connected via SSH.
I tried adding the following iptable rules:
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow passive inbound connections"
and restarted both proftpd and iptables services. What can i do to troubleshoot this problem?
In order to allow FTP you need the following rules on the server:
Allow control connections initiated by the client to port 21, as follows:
iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21" iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
For active mode, allow data connections initiated by the server from port 20, as follows:
iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20" iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
For passive mode, allow data connections initiated by the client on unprivileged ports:
iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections" iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
The ordinary conntrack
modules should correctly track when a RELATED
data connection is established in active mode, however you might need to load the nf_conntrack_ftp
module for correctly tracking when such connections are established in passive mode:
- Check if it's loaded with
lsmod | grep nf_conntrack_ftp
. - Load it with
modprobe nf_conntrack_ftp
.
Alternatively, you may replace the RELATED
state with the NEW
state, which is less secure, but would definitely get the job done.
This link supplies a concise summary of the rationale for the above rules.
这篇关于适用于处于主动\被动模式的FTP服务器的iptables规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!