The FTP server iptables configuration system: CentOS6.2 software: vsftpd. after iptables is installed, the default iptables rules only allow packets in the RELATED, ESTABILISHED status and SSHD status to enter the server, after vsftpd is installed, Port 21 must be opened on iptables. The Complete iptables configuration is as follows:
IptablesConfiguration
System: CentOS6.2
Software: vsftpd, iptables
After the system is installed, the default iptables rule only allows packages in the RELATED, ESTABILISHED status and SSHD data packets to enter the server. after vsftpd is installed, port 21 must be opened on iptables. The Complete iptables configuration is as follows:
Iptables-a input-m state -- state RELATED, ESTABLISHED-j ACCEPT
Iptables-a input-p icmp-j ACCEPT
Iptables-a input-p tcp-m state -- state NEW-m tcp -- dport 22-j ACCEPT
Iptables-a input-p tcp-m state -- state NEW-m tcp -- dport 21-j ACCEPT
Iptables-a input-I lo-j ACCEPT
Iptables-a input-j REJECT -- reject-withicmp-host-prohibited
Under such a rule, can the client log on to the FTP server to upload and download files normally? the test process is as follows:
In this example, the FTP server IP address is 192.18.2.75, and the iptables configuration is as follows:
The Client uses Filezilla Client for connection. The effect is as follows:
The server requires PASV connection. as shown in the figure, the server listening port 44892 (175*256 + 92) is waiting for the client connection, however, the iptables rules prevent access to this port, so the connection fails.
Set Filezilla to active mode, for example:
Connection Server:
The connection is successful.
Therefore, the above iptables rules can only be connected in active mode.
How can I allow passive mode?
Method 1: Use the nf_conntrack_ftp module
Episode: before kernel2.6.19, this module was called ip_conntrack.ko, located in
/Lib/modules/'uname-r'/kernel/net/ipv4/netfilter/ip_conntrack_ftp.ko. This module is renamed nf_conntrack_ftp.ko
/Lib/modules/'uname-r'/kernel/net/netfilter/nf_conntrack_ftp.ko
This module is a module used by Netfilter to process the complex FTP protocol. it can mark FTP data packets as RELATED and allow access in passive mode.
Run modprobe nf_conntrack_ftp to load the module. then, the client can connect to the FTP server in passive mode.
As shown in, the server listening port is 159*256 + 8 = 40712 in passive mode. check the TCP connection status on the FTP server, as shown in:
It is indeed the port 40712 used.
Method 2: In the vsftp configuration file, use the following two options to forcibly limit the port number used in passive mode to a specific range, and then run access to the port in this range on iptables, the options are as follows:
Pasv_min_port = 10000
Pasvanderbilt max_port = 15000
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
