Iptables REJECT doesn't let the ftp server list files

andufo asked:

I had to comment these 2 lines in my iptables file, because for some reason it was denying ftp listing (it does connect to the ftp server, but it never lists the files and then it just times out):

-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

…I changed it to…

# -A INPUT -j REJECT --reject-with icmp-host-prohibited
# -A FORWARD -j REJECT --reject-with icmp-host-prohibited

What could be the issue? I have those same 2 lines in another server and I have no problems listing files in ftp in that server.

In case you need it, this is the complete iptables file:

# Generated by iptables-save v1.4.7 on Wed Jan 15 22:36:31 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3:412]
-A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11211 -j ACCEPT
# -A INPUT -j REJECT --reject-with icmp-host-prohibited
# -A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jan 15 22:36:31 2014

My answer:


You forgot to enable connection tracking on your FTP rule.

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

Like the other rules you have, this one needs to be stateful, so that FTP data transfers are considered RELATED:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

I would also suggest that you stop blindly copying rules from different web sites, and put a little time into understanding how the firewall works.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.