Re: ftp passive mode and iptables

From: Anonymous (me@here.com)
Date: 12/29/02 

From: "Anonymous" <me@here.com>
Date: Sun, 29 Dec 2002 17:08:24 GMT

"David Bolton" <angoraspruce@hotmail.com> wrote in message
news:MomP9.145875$qF3.10764@sccrnsc04...
> Hello,
>
> For whatever reason, I can only ftp into my ISP with passive mode OFF.
I'm
> able to login using passive, but as soon as I try 'ls', I get:
> "ftp: connect: No route to host"
>
> This creates a problem with my firewall. With passive mode OFF, and with
my
> iptables started, 'ls' gives:
> "Can't build data connection: Connection refused."
>
> Disabling the firewall, and turning passive mode OFF, allows me to ftp,
but it
> is really a pain to do it this way.
>
> Anyone seen this before, and more importantly, know what's wrong with my
> iptables configuration?
>
> Best regards,
> David
>
> Below is the printout for iptables -L
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> loopback all -- anywhere anywhere
> ACCEPT all -- 192.168.0.0/24 192.168.0.0/24
> RESERVED all -- 10.0.0.0/8 anywhere
> RESERVED all -- xxx.xx.0.0/12 anywhere
> RESERVED all -- 192.168.0.0/16 anywhere
> RESERVED all -- ALL-SYSTEMS.MCAST.NET anywhere
> RESERVED all -- ALL-ROUTERS.MCAST.NET anywhere
> RESERVED all -- DVMRP.MCAST.NET anywhere
> RESERVED all -- OSPF-ALL.MCAST.NET anywhere
> RESERVED all -- OSPF-DSIG.MCAST.NET anywhere
> RESERVED all -- RIP2-ROUTERS.MCAST.NET anywhere
> RESERVED all -- PIM-ROUTERS.MCAST.NET anywhere
> RESERVED all -- ALL-CBT-ROUTERS.MCAST.NET anywhere
> MULTICAST all -- ALL-SYSTEMS.MCAST.NET anywhere
> MULTICAST all -- ALL-ROUTERS.MCAST.NET anywhere
> MULTICAST all -- DVMRP.MCAST.NET anywhere
> MULTICAST all -- OSPF-ALL.MCAST.NET anywhere
> MULTICAST all -- OSPF-DSIG.MCAST.NET anywhere
> MULTICAST all -- RIP2-ROUTERS.MCAST.NET anywhere
> MULTICAST all -- PIM-ROUTERS.MCAST.NET anywhere
> MULTICAST all -- ALL-CBT-ROUTERS.MCAST.NET anywhere
> ACCEPT icmp -- anywhere anywhere limit: avg
1/sec burst 5
> ACCEPT udp -- anywhere anywhere udp
spts:32769:65535 dpts:traceroute:33523
> DHCP udp -- 12.xxx.x.xx anywhere udp spt:bootps
dpt:bootpc
> ACCEPT udp -- kargad.cerias.purdue.edu anywhere udp
spt:ntp dpts:1024:65535
> DNS udp -- xxx.xxxxx.com anywhere udp spt:domain
> DNS udp -- xxx.xxxxx.com anywhere udp spt:domain
> PUBLIC tcp -- anywhere MyComputer.MyDomain tcp
dpt:ssh
> PUBLIC udp -- anywhere MyComputer.MyDomain udp
dpt:ssh
> PUBLIC tcp -- anywhere MyComputer.MyDomain tcp
dpt:auth
> PUBLIC udp -- anywhere MyComputer.MyDomain udp
dpt:auth
> OPENPORT tcp -- anywhere anywhere tcp
dpt:ftp-data
> OPENPORT udp -- anywhere anywhere udp
dpt:ftp-data
> OPENPORT tcp -- anywhere anywhere tcp dpt:ftp
> OPENPORT udp -- anywhere anywhere udp dpt:ftp
> STATEFUL all -- anywhere anywhere
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> BLOCK_OUT tcp -- anywhere anywhere tcp
dpt:netbios-ns
> BLOCK_OUT udp -- anywhere anywhere udp
dpt:netbios-ns
> BLOCK_OUT tcp -- anywhere anywhere tcp
dpt:netbios-dgm
> BLOCK_OUT udp -- anywhere anywhere udp
dpt:netbios-dgm
> BLOCK_OUT tcp -- anywhere anywhere tcp
dpt:netbios-ssn
> BLOCK_OUT udp -- anywhere anywhere udp
dpt:netbios-ssn
> STATEFUL all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> loopback all -- anywhere anywhere
> DROP icmp -- anywhere anywhere state INVALID
> BLOCK_OUT tcp -- anywhere anywhere tcp
dpt:netbios-ns
> BLOCK_OUT udp -- anywhere anywhere udp
dpt:netbios-ns
> BLOCK_OUT tcp -- anywhere anywhere tcp
dpt:netbios-dgm
> BLOCK_OUT udp -- anywhere anywhere udp
dpt:netbios-dgm
> BLOCK_OUT tcp -- anywhere anywhere tcp
dpt:netbios-ssn
> BLOCK_OUT udp -- anywhere anywhere udp
dpt:netbios-ssn
>
> Chain ACCEPTnLOG (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
warning prefix `gShield (accept) '
> ACCEPT all -- anywhere anywhere
>
> Chain BLACKLIST (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
warning prefix `gShield (blacklisted drop) '
> DROP all -- anywhere anywhere
>
> Chain BLOCK_OUT (12 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain CLIENT (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain CLOSED (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
warning prefix `gShield (closed port drop) '
> REJECT tcp -- anywhere anywhere reject-with
tcp-reset
> REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
> DROP all -- anywhere anywhere
>
> Chain DHCP (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
warning prefix `gShield (DHCP accept) '
> ACCEPT all -- anywhere anywhere
>
> Chain DMZ (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
warning prefix `gShield (DMZ drop) '
> DROP all -- anywhere anywhere
>
> Chain DNS (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain DROPICMP (0 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain DROPnLOG (1 references)
> target prot opt source destination
> DROP udp -- anywhere anywhere udp
dpts:netbios-ns:netbios-ssn
> ACCEPT tcp -- anywhere anywhere tcp spt:http
dpts:1024:65535 flags:!SYN,RST,ACK/SYN
> DROP udp -- anywhere 255.255.255.255 udp spt:bootps
dpt:bootpc
> LOG all -- anywhere anywhere limit: avg
20/min burst 5 LOG level warning prefix `gShield (default drop) '
> LOG gre -- anywhere anywhere limit: avg
20/min burst 5 LOG level warning prefix `gShield (default drop / GRE) '
> REJECT tcp -- anywhere anywhere reject-with
tcp-reset
> REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
> DROP all -- anywhere anywhere
>
> Chain HIGHPORT (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain MON_OUT (0 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain MULTICAST (8 references)
> target prot opt source destination
> DROP all -- anywhere anywhere
>
> Chain OPENPORT (4 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain PUBLIC (4 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain RESERVED (11 references)
> target prot opt source destination
> REJECT tcp -- anywhere anywhere reject-with
tcp-reset
> REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
> DROP all -- anywhere anywhere
>
> Chain SCAN (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
warning prefix `gShield (possible port scan) '
> DROP all -- anywhere anywhere
>
> Chain SERVICEDROP (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere LOG level
warning prefix `gShield (service drop) '
> REJECT tcp -- anywhere anywhere reject-with
tcp-reset
> REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
> DROP all -- anywhere anywhere
>
> Chain STATEFUL (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state NEW
> DROPnLOG all -- anywhere anywhere
>
> Chain loopback (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
>
>
> --
> Wealth consists not in having great possessions,
> but in having few wants.
> - Epicurus

iptables... what a mess.

Relevant Pages

  • Re: iptables, port scan, sendmail overload
    ... Assuming this is a firewall problem (likely, but may not be the only ... Chain CHECK_INVALID (3 references) ... avg 1/hour burst 2 LOG level warning prefix `TFW INVALID ...
    (comp.os.linux.security)
  • Help: Mandriva failure to share Internet connection
    ... I have a Mandriva LE 2005 Desktop connected to the Internet via eth1 (static ... Chain INPUT ... prefix `Shorewall:FORWARD:REJECT:' ... Chain DropDNSrep (2 references) ...
    (comp.os.linux.networking)
  • Shorewall for web server?
    ... I have shorewall working perfectly on my little home LAN, ... Now I'd like to allow access to a web-server (httpd) ... Chain DropDNSrep (2 references) ...
    (Fedora)
  • Re: ftp passive mode and iptables
    ... > Chain FORWARD ... > Chain ACCEPTnLOG (0 references) ... warning prefix `gShield ' ...
    (comp.security.firewalls)
  • Problem with iptables
    ... I'm using Etch a server and i want to configure bind. ... noticed that, when firehol is on, i cannot make any request to the ... OUT-unknown is the default rule for the OUTPUT chain. ... Chain out_public_lan_124 (1 references) ...
    (Debian-User)