1

I installed a ProFTPD server on a CentOS6. If i make ftp localhost, i can connect correctly, but if i try from outside, i obtain the message "no route to host". But there is a route to host because i am connected via SSH.

I tried adding the following iptable rules:

iptables -A INPUT  -p tcp -m tcp --dport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"

iptables -A INPUT  -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A OUTPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"

iptables -A INPUT  -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow passive inbound connections"

and restarted both proftpd and iptables services. What can i do to troubleshoot this problem?

4

1 回答 1

4

为了允许 FTP,您需要在服务器上设置以下规则:

  1. 允许客户端发起的控制连接到21端口,如下:

    iptables -A INPUT  -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"
iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 21"

  2. 对于主动模式,允许服务器从 20 端口发起数据连接,如下:

    iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"
iptables -A INPUT  -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow ftp connections on port 20"

  3. 对于被动模式,允许客户端在非特权端口上发起数据连接:

    iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"
iptables -A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED -j ACCEPT -m comment --comment "Allow passive inbound connections"

当在主动模式下建立数据连接时,普通conntrack模块应该正确跟踪,但是当在被动模式下建立此类连接时RELATED,您可能需要加载模块以正确跟踪:nf_conntrack_ftp

  • 检查它是否加载了lsmod | grep nf_conntrack_ftp.
  • 加载它modprobe nf_conntrack_ftp

或者,您可以用不太安全RELATED的状态替换状态NEW,但肯定会完成工作。

此链接提供了上述规则基本原理的简明摘要。

于 2014-10-30T19:10:08.823 回答