VSFTP的PASSIVE模式的防火牆設定

xxx昨天，将deny放在accept之前了。

然後，drop的條目都生效了。

但同時，vsftp服務的active模式連上正常，但passive不能使用了。

隻好再找方案來解決。

就是在/etc/sysconfig/iptables-config檔案裡加截子產品<code>iptables_modules="ip_conntrack_ftp"</code>

搞定。

while working with vsftpd configuring iptables is essential. it can be done as follows:

to do active-mode ftp, you need to allow incoming connections to tcp port 21 and outgoing connections from port 20.

to do passive-mode ftp, you need to allow incoming connections to tcp port 21 and incoming connections to a randomly-generated port on the server computer (necessitating using a conntrack module in netfilter)

you don't have anything re: your output chain in your post, so i'll include that here, too. if your output chain is default-drop then this matters.

add these rules to your iptables configuration:

to support passive mode ftp, then, you need to load the ip_conntrack_ftp module on boot. uncomment and modify the iptables_modules line in the /etc/sysconfig/iptables-config file to read:

save the iptables config and restart iptables.

to completely rule out vsftpd as being a problem, stop vsftpd, verify that it's not listening on port 21 with a "netstat -a" and then run a :

this will start netcat listening on port 21 and will echo input to your shell. from another host, telnet to port 21 of your server and verify that you get a tcp connection and that you see output in the shell when you type in the telnet connection.

finally, bring vsftpd back up, verify that it is listening on port 21, and try to connect again. if the connection to netcat worked then your iptables rules are fine. if the connection to vsftpd doesn't work after netcat does then something is wrong w/ your vsftpd configuration

references:

<a href="http://serverfault.com/questions/38398/allowing-ftp-with-iptables">http://serverfault.com/questions/38398/allowing-ftp-with-iptables</a>