Re: I need iptables ftp nat help

Rick Stevens Fri, 24 Aug 2018 09:38:25 -0700

On 08/23/2018 09:06 PM, Todd Chester wrote:
> 
> 
> On 08/23/2018 12:14 PM, Mike Wright wrote:
>> On 08/23/2018 11:50 AM, ToddAndMargo wrote:
>>> On 08/23/2018 11:41 AM, Mike Wright wrote:
>>>> On 08/23/2018 11:23 AM, ToddAndMargo wrote:
>>>>>
>>>>> Just ftp client and I want to support both active and passive mode
>>>>>
>>>>
>>>> This covers both:
>>>>
>>>> http://www.devops-blog.net/iptables/iptables-settings-for-outgoing-ftp
>>>>
>>>> :m
>>>
>>> Hi Mike,
>>>
>>> That is a description of what is happening.
>>>
>>> I am looking for Fedora specific iptables instructions.
>>
>> iptables rules are processed by the kernel.  They are distribution
>> agnostic.
>>
>> :m
> 
> Yippee!!
> 
> I still the directions.  What worked on RHEL, does not
> work on Fedora, so what am I doing wrong?


If you're trying to run an FTP _client_, I can't imagine why Fedora
would block FTP. On a bone-stock XFCE F28 VM, ftp client operations
seem to work fine with no futzing of the firewall (iptables). If you
want to know what the ruleset is:

---------------------------------------------------------------------
[root@F28-virt ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate
RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate
INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0
reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate
RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate
INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0
reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDI_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
FWDO_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_direct (1 references)
target     prot opt source               destination

Chain FWDI_public (2 references)
target     prot opt source               destination
FWDI_public_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_public_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDI_public_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain FWDI_public_allow (1 references)
target     prot opt source               destination

Chain FWDI_public_deny (1 references)
target     prot opt source               destination

Chain FWDI_public_log (1 references)
target     prot opt source               destination

Chain FWDO_public (2 references)
target     prot opt source               destination
FWDO_public_log  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_public_deny  all  --  0.0.0.0/0            0.0.0.0/0
FWDO_public_allow  all  --  0.0.0.0/0            0.0.0.0/0

Chain FWDO_public_allow (1 references)
target     prot opt source               destination

Chain FWDO_public_deny (1 references)
target     prot opt source               destination

Chain FWDO_public_log (1 references)
target     prot opt source               destination

Chain INPUT_ZONES (1 references)
target     prot opt source               destination
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]
IN_public  all  --  0.0.0.0/0            0.0.0.0/0           [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain INPUT_direct (1 references)
target     prot opt source               destination

Chain IN_public (2 references)
target     prot opt source               destination
IN_public_log  all  --  0.0.0.0/0            0.0.0.0/0
IN_public_deny  all  --  0.0.0.0/0            0.0.0.0/0
IN_public_allow  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ctstate NEW
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp
dpt:5353 ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination

Chain IN_public_log (1 references)
target     prot opt source               destination

Chain OUTPUT_direct (1 references)
target     prot opt source               destination
---------------------------------------------------------------------

Your issue seems to be with a firewall or router upstream of your
machine. As a test, you could (as root) do something drastic like:

        # systemctl stop firewalld

to completely shut down your firewall, then test your FTP access.
Don't forget to re-enable the firewall as soon as possible:

        # systemctl start firewalld

As I mentioned before, the firewall on F28 is more restrictive
_of_incoming_connections_ than RHEL 5/6 was. This should only affect
you if you are trying to run an FTP _server_ on your machine. FTP
client connections (those initiated on your machine) should not be
restricted (that's the whole purpose of things like "ctstate
RELATED,ESTABLISHED"
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital    ri...@alldigital.com -
- AIM/Skype: therps2        ICQ: 226437340           Yahoo: origrps2 -
-                                                                    -
-        God is real...........unless declared integer or long       -
----------------------------------------------------------------------
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/W4KRW7LDMFOHIHTTDJHYJWIUMXBV275H/

Re: I need iptables ftp nat help

Reply via email to