FTP not listing files behind firewall (setsockopt (ignored): Permission denied)
Posted
by
KennyDs
on Server Fault
See other posts from Server Fault
or by KennyDs
Published on 2013-06-27T08:50:00Z
Indexed on
2013/06/27
10:23 UTC
Read the original article
Hit count: 232
We are developing a Magento application that has a module that works with FTP. Today we deployed this on the testing environment which is setup in the following way:
Gateway server which has the following iptables rules:
# iptables -L -n -v
Chain INPUT (policy ACCEPT 2 packets, 130 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
165 13720 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 7 packets, 606 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
15 965 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 126 packets, 31690 bytes)
pkts bytes target prot opt in out source destination
These are set at runtime via the following bash script:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
The gateway server is connected to the WAN via eth1 and is connected to the internal network via eth0.
One of the servers from eth1 has the following problem when trying to list files over ftp:
$ ftp -vd myftpserver.com
Connected to myftpserver.com
220 Welcome to MY FTP Server
ftp: setsockopt: Bad file descriptor
Name (myftpserver.com:magento): XXXXXXXX
---> USER XXXXXXXX
331 User XXXXXXXX, password please
Password:
---> PASS XXXX
230 Password Ok, User logged in
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PORT 192,168,19,15,135,75
421 Service not available, remote server has closed connection
When I try listing the files in passive mode, same result.
When I run the same command on the gateway server, everything works fine so I believe that the issue is happening because of the iptables rules not forwarding properly.
Does anyone have an idea which rule I need to add to make this work?
© Server Fault or respective owner
