XXX昨天,将DENY放在ACCEPT之前了。
然后,DROP的条目都生效了。
但同时,VSFTP服务的ACTIVE模式连上正常,但PASSIVE不能使用了。
只好再找方案来解决。
就是在/etc/sysconfig/iptables-config文件里加截模块IPTABLES_MODULES="ip_conntrack_ftp"
搞定。
http://balajitheone.blogspot.com/2011/09/opening-iptables-for-vsftpd.html
Opening IPtables for VSFTPD
While working with vsftpd configuring iptables is essential. It can be done as follows:
Here's the document I refer people to so that they can following the FTP protocol:
http://slacksite.com/other/ftp.html
- To do active-mode FTP, you need to allow incoming connections to TCP port 21 and outgoing connections from port 20.
- To do passive-mode FTP, you need to allow incoming connections to TCP port 21 and incoming connections to a randomly-generated port on the server computer (necessitating using a conntrack module in netfilter)
You don't have anything re: your OUTPUT chain in your post, so I'll include that here, too. If your OUTPUT chain is default-drop then this matters.
Add these rules to your iptables configuration:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
To support passive mode FTP, then, you need to load the ip_conntrack_ftp module on boot. Uncomment and modify the IPTABLES_MODULES line in the /etc/sysconfig/iptables-config file to read:
IPTABLES_MODULES="ip_conntrack_ftp"
Save the iptables config and restart iptables.
service iptables save
service iptables restart
To completely rule out VSFTPD as being a problem, stop VSFTPD, verify that it's not listening on port 21 with a "netstat -a" and then run a :
nc -l 21
This will start netcat listening on port 21 and will echo input to your shell. From another host, TELNET to port 21 of your server and verify that you get a TCP connection and that you see output in the shell when you type in the TELNET connection.
Finally, bring VSFTPD back up, verify that it is listening on port 21, and try to connect again. If the connection to netcat worked then your iptables rules are fine. If the connection to VSFTPD doesn't work after netcat does then something is wrong w/ your VSFTPD configuration
References:
