I've installed vsFTPd in CentOS 5.5, on two servers, and added this rule to their iptables
:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
Looks like this is not enough, since when I'm trying to upload a file from one server to another, I'm getting this result (IP address is masked):
# ftp 99.99.99.99
Connected to 99.99.99.99 (99.99.99.99).
220 (vsFTPd 2.0.5)
Name (99.99.99.99:root): vinny
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (99,99,99,99,107,74)
ftp: connect: No route to host
I've found a few articles in the net about the second rule I have to add to iptables
, but I didn't find the right syntax for it. Could you please help?
ps. I have a default installation of vsFTPd and I don't want to change anything inside it's config file (/etc/vsftpd/vsftpd.conf
), if possible.
Edit /etc/sysconfig/iptables-config and add this line:
IPTABLES_MODULES="ip_conntrack_ftp"
Save it and restart iptables.
That's because passive mode use non standard ports to communicate, so you need to keep trak of the ftp connections and iptables will allow them when necessary.