适用于处于主动\被动模式的FTP服务器的iptables规则 [英] Appropriate iptables rules for an FTP server in active \ passive mode

问题描述

我在CentOS6上安装了ProFTPD服务器。
如果我使FTP本地主机，我可以正确连接，但如果我从外面尝试，我获得消息没有路由到主机。但是有一条路由到主机，因为我通过SSH连接。

我尝试添加以下iptable规则：

  iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m注释--comment允许端口21上的ftp连接
 iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW，ESTABLISHED -j ACCEPT -m注释--comment允许端口21上的ftp连接
 
 iptables -A INPUT -p tcp -m tcp -dport 20 -m conntrack -ctstate ESTABLISHED，RELATED -j ACCEPT -m注释--comment允许端口20上的ftp连接
 iptables -A OUTPUT  - p tcp -m tcp -dport 20 -m conntrack -ctstate ESTABLISHED -j ACCEPT -m注释--comment允许端口20上的ftp连接
 
 iptables -A INPUT -p tcp -m tcp --sport 1024：--dport 1024：-m conntrack --ctstate ESTABLISHED -j ACCEPT -m注释--comment允许被动入站连接
 iptables -A OUTPUT -p tcp -m tcp --sport 1024： - 出口102 4：-m conntrack --ctstate ESTABLISHED，RELATED -j ACCEPT -m comment --comment允许被动入站连接
  

并重新启动proftpd和iptables服务。
我能做些什么来排除这个问题？

解决方案

为了允许FTP，您需要以下规则服务器：
$ b

1. 允许客户端向端口21发起控制连接，如下所示：

     iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW，ESTABLISHED -j ACCEPT -m comment --commentAllow ftp端口21上的连接
    iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m注释--comment允许端口21上的ftp连接
     




2. 对于主动模式，允许服务器从端口20发起数据连接，如下所示：

     iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctctate RELATED，ESTABLISHED -j ACCEPT -m comment --comment允许端口20上的ftp连接
    iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment允许端口20上的ftp连接
     




3. 对于被动模式，允许客户端在非特权端口上发起数据连接：
   
   

     iptables -A INPUT -p tcp -m tcp --sport 1024： --dport 1024：-m conntrack --ctctate RELATED，ESTABLISHED -j ACCEPT -m注释--commentAllow passive inbound connections
    iptables -A OUTPUT -p tcp -m tcp --sport 1024： - dport 1024：-m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment允许被动入站连接
     

当 RELATED 时，普通 conntrack c>数据连接在主动模式下建立，但您可能需要加载 nf_conntrack_ftp 模块以正确跟踪何时在被动模式下建立此类连接：





• 检查是否加载了 lsmod | grep nf_conntrack_ftp 。


• 使用 modprobe nf_conntrack_ftp 加载它。
ul>



或者，您可以用 NEW 替换 RELATED 状态，这是不太安全，但肯定会完成工作。





此链接提供了上述规则基本原理的简要摘要。




I installed a ProFTPD server on a CentOS6. If i make ftp localhost, i can connect correctly, but if i try from outside, i obtain the message "no route to host". But there is a route to host because i am connected via SSH.

I tried adding the following iptable rules:

iptables -A INPUT  -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"

iptables -A INPUT  -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"

iptables -A INPUT  -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow passive inbound connections"

and restarted both proftpd and iptables services. What can i do to troubleshoot this problem?

解决方案

In order to allow FTP you need the following rules on the server:

1. Allow control connections initiated by the client to port 21, as follows:

   iptables -A INPUT  -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
   iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
   

2. For active mode, allow data connections initiated by the server from port 20, as follows:

   iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
   iptables -A INPUT  -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
   

3. For passive mode, allow data connections initiated by the client on unprivileged ports:

   iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
   iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
   

The ordinary conntrack modules should correctly track when a RELATED data connection is established in active mode, however you might need to load the nf_conntrack_ftp module for correctly tracking when such connections are established in passive mode:

• Check if it's loaded with lsmod | grep nf_conntrack_ftp.
• Load it with modprobe nf_conntrack_ftp.

Alternatively, you may replace the RELATED state with the NEW state, which is less secure, but would definitely get the job done.

This link supplies a concise summary of the rationale for the above rules.

这篇关于适用于处于主动\被动模式的FTP服务器的iptables规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！