HPE Community
Operating System - Linux
1827880 Members
1406 Online
109969 Solutions
New Discussion

Help on iptable! ftp and OmniBack can't work!

 
zhaogui
Super Advisor

‎04-14-2003 01:32 AM

‎04-14-2003 01:32 AM

Help on iptable! ftp and OmniBack can't work!

Attached is iptables rules, ftp will time out and OmniBack got inet error from Cell Manager sitting on 10.151.1.11. But if I take out the last two "REJECT" lines then they can work, any iptables expert can advise me on how to set up iptable?

Thanks in advance,
0 Kudos
Reply
7 REPLIES 7
Erik_14
Occasional Advisor

‎04-14-2003 02:16 PM

‎04-14-2003 02:16 PM

Re: Help on iptable! ftp and OmniBack can't work!

Active FTP uses a control connection from the client to the server (which you've enabled in your firewall - tcp/21), and a data connection, on a non-privileged port mostly, from the server back to the client.

I've quickly scanned your firewall, and it seems you're even blocking all non-privileged traffic?
Try allowing tcp traffic on ports > 1023, or use passive FTP, which doesn't need a callback connection.

I don't know OmniBack, so can't help you with that.

Good luck :)

Erik.
0 Kudos
Reply
Jarle Bjorgeengen
Trusted Contributor

‎04-14-2003 10:51 PM

‎04-14-2003 10:51 PM

Re: Help on iptable! ftp and OmniBack can't work!

You need to set the range of ports that dataprotector is allowed to use, in the omnirc file I believe. If this is not specifies, dataprotector use any available high port.

Rgds Jarle
0 Kudos
Reply
Bill Douglass
Esteemed Contributor

‎04-15-2003 08:28 AM

‎04-15-2003 08:28 AM

Re: Help on iptable! ftp and OmniBack can't work!

I think your cell manager is not getting response packets from the client (the inet error your mentioned) because packets to $msmeterp are being sent back to a port other than 5555. Try adding the following line:

iptables -A OUTPUT -p tcp -j ACCEPT -d $msmeterp -s $eth0IP --sport 5555


Anything sent from client port 5555 to the cell manager will be allowed.

I'm guessing from your iptables config that you have already configured /opt/omni/.omnirc with the following option:

OB2PORTRANGE=50000-50050

Hope that helps.
0 Kudos
Reply
Ron Kinner
Honored Contributor

‎04-15-2003 01:13 PM

‎04-15-2003 01:13 PM

Re: Help on iptable! ftp and OmniBack can't work!

The way you write the filter depends on whether you will be an FTP server or a client. (The client originates the FTP session.)


To Serve as an FTP server you have to accept INPUT packets to destination port 21. You Then have to reply using an OUTPUT to source port 21. Now that you have the control connection up you have to establish a second connection with an OUTPUT source port 20 which will reply with an INPUT to source port 20.

If you want to be an ftp client then it's backwards. You have to pass an OUTPUT packet with destination 21 and receive an INPUT packet with source port 21. When the data connection starts you will need to pass an INPUT packet with source port 20 and accept a reply with an OUTPUT packet of destination port 20.

#FTP SERVER:

iptables -A INPUT -p tcp -j ACCEPT -d $eth0IP -s $msdbeth0IP --dport 21
iptables -A OUTPUT -p tcp -j ACCEPT -s $eth0IP -d $msdbeth0IP --sport 21


iptables -A INPUT -p tcp -j ACCEPT -d $eth0IP -s $msdbeth0IP --dport 20
iptables -A OUTPUT -p tcp -j ACCEPT -s $eth0IP -d $msdbeth0IP --sport 20

This is what you already have.

If you want to FTP from the LINUX box to another FTP Server then you need:

#FTP Client:

iptables -A OUTPUT -p tcp -j ACCEPT -s $eth0IP -d $msdbeth0IP --dport 21
iptables -A INPUT -p tcp -j ACCEPT -d $eth0IP -s $msdbeth0IP --sport 21

iptables -A INPUT -p tcp -j ACCEPT -d $eth0IP -s $msdbeth0IP --sport 20
iptables -A OUTPUT -p tcp -j ACCEPT -s $eth0IP -d $msdbeth0IP --dport 20

Ron

0 Kudos
Reply
U.SivaKumar_2
Honored Contributor

‎04-15-2003 09:13 PM

‎04-15-2003 09:13 PM

Re: Help on iptable! ftp and OmniBack can't work!

Hi,

It seems that you have not loaded the connection tracking modules.

#modprobe ip_conntrack
#modprobe ip_conntrack_ftp

Hope your problem is solved

regards,

U.SivaKumar

Innovations are made when conventions are broken
0 Kudos
Reply
zhaogui
Super Advisor

‎04-16-2003 06:50 PM

‎04-16-2003 06:50 PM

Re: Help on iptable! ftp and OmniBack can't work!

Sorry for late reply due to some urgent things.

Attached is my current iptables rules,

Well, for OmniBack, I have adopted Bill Douglass's suggestion and it is making progress in the sense that I can telnet cellmgr 5555 from Linux and vise visa, but Omniback came back with a new error as below, here msmarketp2 is Linux, msmeterp is cell manager:
"[Critical] From: BDA-NET@msmarketp2 "/opt" Time: 04/17/03 02:11:22
Cannot connect to Media Agent on system msmeterp, port 50007 (IPC Cannot Connect
System error: [110] Connection timed out
) => aborting.

[Critical] From: VBDA@msmarketp2 "/opt" Time: 04/17/03 02:11:22
Unexpected close reading NET message => aborting. Why?

Another strange thing is, .omnirc on this Linux, the OmniBack client did have defined OB2PORTRANGE=50000-50050, but it seems it is not working as I can see from running telnet msmeterp 5555 by running lsof -p 'telnet pid', I got the following,
telnet 30332 root 3u IPv4 287282 TCP msmarketp2:32925->msmeterp:omni (SYN_SENT)
So in my attachment I changed it to 30000:50050.

For ftp, since I am using Linux as ftp client, then I adopted Ron Kinner's comments
and I managed to run ftp msmeterp but strangely I went into passive mode when I issue "DIR" or "ls" in "ftp>",

Can Ron tell me how to use active mode?

Thanks a lot,




0 Kudos
Reply
Ron Kinner
Honored Contributor

‎04-17-2003 05:54 AM

‎04-17-2003 05:54 AM

Re: Help on iptable! ftp and OmniBack can't work!

Passive mode is determined by the client so you need to look in the ftp options for the client. Since I don't know what version of LINUX or what ftp client you are using that's about all I can tell you.

Ron
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.