![](https://seccdn.libravatar.org/avatar/6aff4347491414cea1347666056c8283.jpg?s=120&d=mm&r=g)
my English is not good too... :)
look. The FTP server, need a PASSIVE connection. This is done by a FTP-DATA
port(port 20). Try to free this port in IPTables too, and everything works
fine(I hope so)!
the other option is to work in FTP with passive mode disable.
good luck
Wagner Sartori Junior
----- Original Message -----
From: "Roland Türk"
Hello,
Sorry, my English is not so good! I have write my Firewall with Iptables.I can connect an FTP Server but not make a ls or dir.
linux:~ # ftp ftp.suse.com Connected to ftp.suse.com (217.9.113.66). 220 "Welcome to the SuSE ftp server: Please login as user 'ftp'" Name (ftp.suse.com:root): ftp 331 Please send your email address as a password. Password: 230-+----------------------------------------------------------------+ 230-| Welcome to the SuSE Linux FTP archives in Nürnberg Germany | 230-+----------------------------------------------------------------+ 230-+------------------------------+ +------------------------------+ 230-| SuSE Inc. | | SuSE GmbH | 230-| 318 Harrison St. | | Deutschherrnstr. 15-19 | 230-| Oakland, CA 94607 | | 90429 Nuernberg | 230-| USA | | Germany | 230-+------------------------------+ +------------------------------+ 230-| Tel: +1-510-628-3380 | | Tel: +49-911-740530 | 230-| FAX: +1-510-628-3381 | | FAX: +49-911-7417755 | 230-+------------------------------+ +------------------------------+ 230-| http://www.suse.com/ | | http://www.suse.de/ | 230-+------------------------------+ +------------------------------+ 230-Please make sure to read pub/INDEX before sending mail to 230-ftpadmin@suse.com 230- 230-User limit: 600 - consider using a mirror-site: 230-http://www.suse.de/en/support/download/ftp/int_mirrors.html (Int.) 230-http://www.suse.de/en/support/download/ftp/germ_mirrors.html (DE) 230- 230-Users from Europe (in particular German universities): 230-ftp://ftp.gwdg.de/pub/linux/suse/ 230-ftp://ftp.leo.org/pub/comp/os/unix/linux/suse/suse/ 230-ftp://ftp.uni-kl.de/pub/linux/suse/ 230- 230-If you are experiencing any problems with this server, please email 230-ftpadmin@suse.com. 230- 230 Login successful. Have a lot of fun. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 PORT command successful. Consider using PASV.
-------------------------------------------------- -------------------------------------------------- -----snip------ #My Firewall config for FTP
# FTP OUT Control-Connection
iptables -A OUTPUT -p TCP --sport $p_high --dport ftp -j ACCEPT iptables -A INPUT -p TCP --dport $p_high --sport ftp ! --syn -j ACCEPT
# FTP OUT Passive Data-Connection
iptables -A OUTPUT -p TCP --sport $p_high --dport $p_high -j ACCEPT iptables -A INPUT -p TCP --dport $p_high --sport $p_high ! --syn -j ACCEPT
# MASQUERADING
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INT -o $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p ICMP --icmp-type echo-request -j ACCEPT iptables -A FORWARD -o $EXT -p ICMP --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport ftp -j ACCEPT iptables -A FORWARD -o $EXT -m state --state NEW -p TCP --sport $p_high --dport $p_high -j ACCEPT
-----snap----- ---------------------------------------------------------------------- ----------------------------------------------------------------------
tcpdump -i ippp0
19:59:13.290242 217.4.250.8.filenet-tms > 213.95.15.193.domain: 2909 A? ftp.suse.com. (30) (DF) 19:59:13.345807 213.95.15.193.domain > 217.4.250.8.filenet-tms: 2909* 1/2/2 A 217.9.113.66 (132) [tos 0x10] 19:59:13.347190 217.4.250.8.35608 > 217.9.113.66.ftp: S 926670463:926670463(0) win 5840
217.4.250.8.35608: S 840322402:840322402(0) ack 926670464 win 32120 217.9.113.66.ftp: . ack 1 win 5840 (DF) 19:59:13.518270 217.9.113.66.ftp > 217.4.250.8.35608: P 1:249(248) ack 1 win 32120 (DF 19:59:13.518367 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 249 win 6432 (DF) [tos 0x1 19:59:13.518817 217.4.250.8.35608 > 217.9.113.66.ftp: F 1:1(0) ack 249 win 6432 (DF) [ 19:59:13.525785 217.9.113.66.ftp > 217.4.250.8.35608: F 249:249(0) ack 1 win 32120 (DF 19:59:13.526164 217.4.250.8.35608 > 217.9.113.66.ftp: . ack 250 win 6432 (DF) [tos 0x1 19:59:13.572175 217.9.113.66.ftp > 217.4.250.8.35608: . ack 2 win 32120 (DF) 19:59:20.501533 217.4.250.8.35609 > 217.9.113.66.ftp: S 933158888:933158888(0) win 5840 217.4.250.8.35609: S 856735184:856735184(0) ack 933158889 win 32120 217.9.113.66.ftp: . ack 1 win 5840 (DF) 19:59:20.650476 217.9.113.66.ftp > 217.4.250.8.35609: P 1:67(66) ack 1 win 32120 (DF) 19:59:20.650579 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 67 win 5840 (DF) [tos 0x10 19:59:24.856106 217.4.250.8.35609 > 217.9.113.66.ftp: P 1:11(10) ack 67 win 5840 (DF) 19:59:24.896293 217.9.113.66.ftp > 217.4.250.8.35609: . ack 11 win 32120 (DF) 19:59:24.910156 217.9.113.66.ftp > 217.4.250.8.35609: P 67:118(51) ack 11 win 32120 (D 19:59:24.910224 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 118 win 5840 (DF) [tos 0x1 19:59:26.198941 217.4.250.8.35609 > 217.9.113.66.ftp: P 11:25(14) ack 118 win 5840 (DF 19:59:26.261343 217.9.113.66.ftp > 217.4.250.8.35609: P 118:190(72) ack 25 win 32120 ( 19:59:26.261425 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 190 win 5840 (DF) [tos 0x1 19:59:26.277847 217.9.113.66.ftp > 217.4.250.8.35609: P 190:262(72) ack 25 win 32120 ( 19:59:26.277920 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 262 win 5840 (DF) [tos 0x1 19:59:26.294356 217.9.113.66.ftp > 217.4.250.8.35609: P 262:334(72) ack 25 win 32120 ( 19:59:26.294424 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 334 win 5840 (DF) [tos 0x1 19:59:26.310864 217.9.113.66.ftp > 217.4.250.8.35609: P 334:406(72) ack 25 win 32120 ( 19:59:26.310932 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 406 win 5840 (DF) [tos 0x1 19:59:26.521730 217.9.113.66.ftp > 217.4.250.8.35609: P 406:1771(1365) ack 25 win 32120 217.9.113.66.ftp: . ack 1771 win 8190 (DF) [tos 0x 19:59:26.523495 217.4.250.8.35609 > 217.9.113.66.ftp: P 25:31(6) ack 1771 win 8190 (DF 19:59:26.599132 217.9.113.66.ftp > 217.4.250.8.35609: P 1771:1790(19) ack 31 win 32120 19:59:26.638231 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1790 win 8190 (DF) [tos 0x 19:59:29.151684 217.4.250.8.35609 > 217.9.113.66.ftp: P 31:56(25) ack 1790 win 8190 (D 19:59:29.208498 217.9.113.66.ftp > 217.4.250.8.35609: P 1790:1841(51) ack 56 win 32120 19:59:29.208584 217.4.250.8.35609 > 217.9.113.66.ftp: . ack 1841 win 8190 (DF) [tos 0x 19:59:29.208840 217.4.250.8.35609 > 217.9.113.66.ftp: P 56:62(6) ack 1841 win 8190 (DF 19:59:29.257378 217.9.113.66.ftp-data > 217.4.250.8.35610: S 870057160:870057160(0) win 32120 217.4.250.8.35609: . ack 62 win 32120 (DF) 19:59:32.304569 217.9.113.66.ftp-data > 217.4.250.8.35610: S 870057160:870057160(0) win 32120 Which Ports must I open?
Thanks for Your config or Help
Roland
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here