topic Re: which iptables entries are needed for custom ftp service in Operating System - Linux

which iptables entries are needed for custom ftp service

Debbie Fleith — Wed, 26 Mar 2008 20:44:53 GMT

I'm getting "no route to host" erors when trying to send or retrieve files from my new RH 5 Linux system, using a custom ftp service that we implement years ago.

Our /etc/services entries for this ftp service are:
adaftp-data 3020/tcp
adaftp 3021/tcp

Do I need to add both of these tcp ports to my iptables configuration?

Re: which iptables entries are needed for custom ftp service

slydmin — Wed, 26 Mar 2008 21:28:32 GMT

Could you provide more information?

Assuming the FTP service is on this new RH 5 Linux system, can you ping to this server?

if you are able ssh/consolelogin to the server, do a netstat -ant to make sure ftp is listening on that port 3021.

Re: which iptables entries are needed for custom ftp service

Jeeshan — Thu, 27 Mar 2008 09:06:59 GMT

may be you have no route entry to other hosts.

dont't need to add adaftp-data in iptables. You can add entry of 21 port in iptables.

Re: which iptables entries are needed for custom ftp service

skt_skt — Thu, 27 Mar 2008 09:29:02 GMT

disable the IP table if not mandatory. Try and configure/test the normal ftp first and make sure that is working itself.

Re: which iptables entries are needed for custom ftp service

skt_skt — Thu, 27 Mar 2008 09:32:41 GMT

Enabling ftp logging in Linux which can give more verbose information when u look at /var/log/vsftpd.log

â ¢ Update /etc/vsftpd/vsftpd.conf with xferlog_std_format=NO from xferlog_std_format=YES

When enabled, all FTP requests and responses are logged, providing the option xferlog_std_format is not enabled. Useful for debugging.

Default: NO

â ¢ Add log_ftp_protocol=YES at the end of /etc/vsftpd/vsftpd.conf

â ¢ Uncomment xferlog_file=/var/log/vsftpd.log on /etc/vsftpd/vsftpd.conf

Default log file is /var/log/xferlog

â ¢ Restart the vsftpd service

Re: which iptables entries are needed for custom ftp service

Debbie Fleith — Thu, 27 Mar 2008 11:23:20 GMT

Normal vsftpd is working fine. If I disable iptables, I don't have the problem. Yes, I can ping this server and ssh into it.

How do I determine if iptables is mandatory? If this server is going into a LAN that has a firewall already, can I safely keep iptables disabled?

Re: which iptables entries are needed for custom ftp service

Jeeshan — Thu, 27 Mar 2008 12:39:20 GMT

you figure out yourself what is your scenario.

if you wanna make system more secure than keep iptables but make sure you can access significant services.

another thing is you need not to set iptables entry with software or service level, you can specify it with tcp or udp port basis. coz a software or service level may need another tcp or udp port that may be block.

Re: which iptables entries are needed for custom ftp service

Debbie Fleith — Thu, 27 Mar 2008 15:27:06 GMT

more details.....
Yes, the ftp service is listening in Port 3021.
When I have 3021/tcp enabled in iptables, I can get a ftp connection established to port 3021, but I get "no route to host" when trying to transfer files.
When I have iptables enabled but without any reference to my custom ftp ports, I get "no route to host" errors when trying to establish the connection.

Re: which iptables entries are needed for custom ftp service

skt_skt — Thu, 27 Mar 2008 18:06:40 GMT

when u already have a firwall setup up in n/w level. then linux level firwall is not mandatory