topic Re: Help on iptable! ftp and OmniBack can't work! in Operating System - Linux

Help on iptable! ftp and OmniBack can't work!

zhaogui — Mon, 14 Apr 2003 08:32:29 GMT

Attached is iptables rules, ftp will time out and OmniBack got inet error from Cell Manager sitting on 10.151.1.11. But if I take out the last two "REJECT" lines then they can work, any iptables expert can advise me on how to set up iptable?

Thanks in advance,

Re: Help on iptable! ftp and OmniBack can't work!

Erik_14 — Mon, 14 Apr 2003 21:16:49 GMT

Active FTP uses a control connection from the client to the server (which you've enabled in your firewall - tcp/21), and a data connection, on a non-privileged port mostly, from the server back to the client.

I've quickly scanned your firewall, and it seems you're even blocking all non-privileged traffic?
Try allowing tcp traffic on ports > 1023, or use passive FTP, which doesn't need a callback connection.

I don't know OmniBack, so can't help you with that.

Good luck :)

Erik.

Re: Help on iptable! ftp and OmniBack can't work!

Jarle Bjorgeengen — Tue, 15 Apr 2003 05:51:48 GMT

You need to set the range of ports that dataprotector is allowed to use, in the omnirc file I believe. If this is not specifies, dataprotector use any available high port.

Rgds Jarle

Re: Help on iptable! ftp and OmniBack can't work!

Bill Douglass — Tue, 15 Apr 2003 15:28:37 GMT

I think your cell manager is not getting response packets from the client (the inet error your mentioned) because packets to $msmeterp are being sent back to a port other than 5555. Try adding the following line:

iptables -A OUTPUT -p tcp -j ACCEPT -d $msmeterp -s $eth0IP --sport 5555

Anything sent from client port 5555 to the cell manager will be allowed.

I'm guessing from your iptables config that you have already configured /opt/omni/.omnirc with the following option:

OB2PORTRANGE=50000-50050

Hope that helps.

Re: Help on iptable! ftp and OmniBack can't work!

Ron Kinner — Tue, 15 Apr 2003 20:13:59 GMT

The way you write the filter depends on whether you will be an FTP server or a client. (The client originates the FTP session.)

To Serve as an FTP server you have to accept INPUT packets to destination port 21. You Then have to reply using an OUTPUT to source port 21. Now that you have the control connection up you have to establish a second connection with an OUTPUT source port 20 which will reply with an INPUT to source port 20.

If you want to be an ftp client then it's backwards. You have to pass an OUTPUT packet with destination 21 and receive an INPUT packet with source port 21. When the data connection starts you will need to pass an INPUT packet with source port 20 and accept a reply with an OUTPUT packet of destination port 20.

#FTP SERVER:

iptables -A INPUT -p tcp -j ACCEPT -d $eth0IP -s $msdbeth0IP --dport 21
iptables -A OUTPUT -p tcp -j ACCEPT -s $eth0IP -d $msdbeth0IP --sport 21

iptables -A INPUT -p tcp -j ACCEPT -d $eth0IP -s $msdbeth0IP --dport 20
iptables -A OUTPUT -p tcp -j ACCEPT -s $eth0IP -d $msdbeth0IP --sport 20

This is what you already have.

If you want to FTP from the LINUX box to another FTP Server then you need:

#FTP Client:

iptables -A OUTPUT -p tcp -j ACCEPT -s $eth0IP -d $msdbeth0IP --dport 21
iptables -A INPUT -p tcp -j ACCEPT -d $eth0IP -s $msdbeth0IP --sport 21

iptables -A INPUT -p tcp -j ACCEPT -d $eth0IP -s $msdbeth0IP --sport 20
iptables -A OUTPUT -p tcp -j ACCEPT -s $eth0IP -d $msdbeth0IP --dport 20

Ron

Re: Help on iptable! ftp and OmniBack can't work!

U.SivaKumar_2 — Wed, 16 Apr 2003 04:13:57 GMT

Hi,

It seems that you have not loaded the connection tracking modules.

#modprobe ip_conntrack
#modprobe ip_conntrack_ftp

Hope your problem is solved

regards,

U.SivaKumar

Re: Help on iptable! ftp and OmniBack can't work!

zhaogui — Thu, 17 Apr 2003 01:50:42 GMT

Sorry for late reply due to some urgent things.

Attached is my current iptables rules,

Well, for OmniBack, I have adopted Bill Douglass's suggestion and it is making progress in the sense that I can telnet cellmgr 5555 from Linux and vise visa, but Omniback came back with a new error as below, here msmarketp2 is Linux, msmeterp is cell manager:
"[Critical] From: BDA-NET@msmarketp2 "/opt" Time: 04/17/03 02:11:22
Cannot connect to Media Agent on system msmeterp, port 50007 (IPC Cannot Connect
System error: [110] Connection timed out
) => aborting.

[Critical] From: VBDA@msmarketp2 "/opt" Time: 04/17/03 02:11:22
Unexpected close reading NET message => aborting. Why?

Another strange thing is, .omnirc on this Linux, the OmniBack client did have defined OB2PORTRANGE=50000-50050, but it seems it is not working as I can see from running telnet msmeterp 5555 by running lsof -p 'telnet pid', I got the following,
telnet 30332 root 3u IPv4 287282 TCP msmarketp2:32925->msmeterp:omni (SYN_SENT)
So in my attachment I changed it to 30000:50050.

For ftp, since I am using Linux as ftp client, then I adopted Ron Kinner's comments
and I managed to run ftp msmeterp but strangely I went into passive mode when I issue "DIR" or "ls" in "ftp>",

Can Ron tell me how to use active mode?

Thanks a lot,

Re: Help on iptable! ftp and OmniBack can't work!

Ron Kinner — Thu, 17 Apr 2003 12:54:31 GMT

Passive mode is determined by the client so you need to look in the ftp options for the client. Since I don't know what version of LINUX or what ftp client you are using that's about all I can tell you.

Ron