RE: [Zope] iptables rules for zope webserver
Thank you for your advice, after i open the port 8022 the problem is still there. This is that ws_ftp can connect to zope, but the directoris in zope can not be seen in the ws_ftp window. i checked the iptables rules for regular ftp in my iptables.rules. Thesre are several lines as following:(this rule is set up by the privious administrator, and he has left) ------------------------------------------------------------------------- # Passive inbound and outbound FTP iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORcS \ -m state --state ESTABLISHED,RELATED -j ACCEPT ------------------------------------------------------------------------ I did some experiment to this. The interesting thing is that if i comment out this rules. regular ftp can access my linux server but the directories in my linux server can not be seen. My guess is maybe i need some lines like that for zope ftp to let passive tranfer mode work, but i do not how to do it. Any further suggestion will be appreciated. Jianping On Mon, 2 Dec 2002, Jeff Sacksteder wrote:
you need to allow port 8021 and 8022.
iptables -A INPUT -i $IFACE -p tcp --dport 8021 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8022 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --storc 8022 -m state --state ESTABLISHED -j ACCEPT
You might also consider writing them like this, I think it's easier to see what is happening.
iptables -A OUTPUT -o $IFACE -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8021 -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8022 -j ACCEPT
Date: Sun, 1DDec 2002 22:49:12 -0500 (EST) From: Jianping Zhu <zjp@arches.uga.edu> To: redhat-list@redhat.com Cc: zjp@arches.uga.edu Subject: iptables rules for zope webserver
I have a redhat linux 7.1 server with a zope websever on iE. I use iptables as firewall. following is the iptables rules for zope:o
#===========J===========i===============n=================== ## Zope iptables -=aINPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT
# Allow inbound ftp iptaeles -A INPUT -i $IFACE -p tcp --dport 8021 -m state --state \ NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state \ ESTABLISHED -j ACCEPT .#=======================================================================
I am trying to use ws_ftp to send files to zope sever via port 8021 ( in ws_ftp session property->advanced i set remote port as 8021 and checked passive transfers). If I stop iptables, i can conect to zope via ftp (port 8021) and ftp files to zope. If the iptables is on, it still can connect to zope but i can not see the directories in the mote site text filed of the ws_ftp windows. it seems that it can connect to zope but can not display the directories in zope. and i failed to ftp it the zope server.
Therefore, i believe the above iptalbles rules for zope have problem. how can i fix this problem and let zope ftp work? Any suggestion will be greatly appreciated.
Jianping
Hi- There is probably a line like this: /sbin/modprobe ip_conntrack_ftp This module handles passive and active FTP connections. Unfortunately, it doesn't know that port 8021 is FTP - you need to tell it that it is. I would recommend you do this- /sbin/modprove ip_conntrack_ftp ports=21,8021 Then, you have to make sure that port 8021 is open on your firewall - ip_conntrack_ftp will take care of opening the other ports. HTH, --Quentin On Mon, 2 Dec 2002, Jianping Zhu wrote:
Date: Mon, 2 Dec 2002 11:21:01 -0500 (EST) From: Jianping Zhu <zjp@arches.uga.edu> To: zope@zope.org Cc: Jeff Sacksteder <jwsacksteder@ramprecision.com> Subject: RE: [Zope] iptables rules for zope webserver
Thank you for your advice, after i open the port 8022 the problem is still there. This is that ws_ftp can connect to zope, but the directoris in zope can not be seen in the ws_ftp window. i checked the iptables rules for regular ftp in my iptables.rules. Thesre are several lines as following:(this rule is set up by the privious administrator, and he has left)
------------------------------------------------------------------------- # Passive inbound and outbound FTP iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORcS \ -m state --state ESTABLISHED,RELATED -j ACCEPT ------------------------------------------------------------------------ I did some experiment to this. The interesting thing is that if i comment out this rules. regular ftp can access my linux server but the directories in my linux server can not be seen. My guess is maybe i need some lines like that for zope ftp to let passive tranfer mode work, but i do not how to do it.
Any further suggestion will be appreciated.
Jianping
On Mon, 2 Dec 2002, Jeff Sacksteder wrote:
you need to allow port 8021 and 8022.
iptables -A INPUT -i $IFACE -p tcp --dport 8021 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8022 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --storc 8022 -m state --state ESTABLISHED -j ACCEPT
You might also consider writing them like this, I think it's easier to see what is happening.
iptables -A OUTPUT -o $IFACE -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8021 -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8022 -j ACCEPT
Date: Sun, 1DDec 2002 22:49:12 -0500 (EST) From: Jianping Zhu <zjp@arches.uga.edu> To: redhat-list@redhat.com Cc: zjp@arches.uga.edu Subject: iptables rules for zope webserver
I have a redhat linux 7.1 server with a zope websever on iE. I use iptables as firewall. following is the iptables rules for zope:o
#===========J===========i===============n=================== ## Zope iptables -=aINPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT
# Allow inbound ftp iptaeles -A INPUT -i $IFACE -p tcp --dport 8021 -m state --state \ NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state \ ESTABLISHED -j ACCEPT .#=======================================================================
I am trying to use ws_ftp to send files to zope sever via port 8021 ( in ws_ftp session property->advanced i set remote port as 8021 and checked passive transfers). If I stop iptables, i can conect to zope via ftp (port 8021) and ftp files to zope. If the iptables is on, it still can connect to zope but i can not see the directories in the mote site text filed of the ws_ftp windows. it seems that it can connect to zope but can not display the directories in zope. and i failed to ftp it the zope server.
Therefore, i believe the above iptalbles rules for zope have problem. how can i fix this problem and let zope ftp work? Any suggestion will be greatly appreciated.
Jianping
Hi- Whoops. That second example should read /sbin/modprobe, not /sbin/modprove. I always do that :) --Quentin On Mon, 2 Dec 2002, Quentin Smith wrote:
Date: Mon, 2 Dec 2002 21:14:05 -0500 (EST) From: Quentin Smith <quentins@comclub.org> To: Jianping Zhu <zjp@arches.uga.edu> Cc: zope@zope.org, Jeff Sacksteder <jwsacksteder@ramprecision.com> Subject: RE: [Zope] iptables rules for zope webserver
Hi- There is probably a line like this: /sbin/modprobe ip_conntrack_ftp This module handles passive and active FTP connections. Unfortunately, it doesn't know that port 8021 is FTP - you need to tell it that it is. I would recommend you do this- /sbin/modprove ip_conntrack_ftp ports=21,8021 Then, you have to make sure that port 8021 is open on your firewall - ip_conntrack_ftp will take care of opening the other ports. HTH, --Quentin
On Mon, 2 Dec 2002, Jianping Zhu wrote:
Date: Mon, 2 Dec 2002 11:21:01 -0500 (EST) From: Jianping Zhu <zjp@arches.uga.edu> To: zope@zope.org Cc: Jeff Sacksteder <jwsacksteder@ramprecision.com> Subject: RE: [Zope] iptables rules for zope webserver
Thank you for your advice, after i open the port 8022 the problem is still there. This is that ws_ftp can connect to zope, but the directoris in zope can not be seen in the ws_ftp window. i checked the iptables rules for regular ftp in my iptables.rules. Thesre are several lines as following:(this rule is set up by the privious administrator, and he has left)
------------------------------------------------------------------------- # Passive inbound and outbound FTP iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORcS \ -m state --state ESTABLISHED,RELATED -j ACCEPT ------------------------------------------------------------------------ I did some experiment to this. The interesting thing is that if i comment out this rules. regular ftp can access my linux server but the directories in my linux server can not be seen. My guess is maybe i need some lines like that for zope ftp to let passive tranfer mode work, but i do not how to do it.
Any further suggestion will be appreciated.
Jianping
On Mon, 2 Dec 2002, Jeff Sacksteder wrote:
you need to allow port 8021 and 8022.
iptables -A INPUT -i $IFACE -p tcp --dport 8021 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8022 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --storc 8022 -m state --state ESTABLISHED -j ACCEPT
You might also consider writing them like this, I think it's easier to see what is happening.
iptables -A OUTPUT -o $IFACE -p tcp -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8021 -j ACCEPT iptables -A INPUT -i $IFACE -p tcp --dport 8022 -j ACCEPT
Date: Sun, 1DDec 2002 22:49:12 -0500 (EST) From: Jianping Zhu <zjp@arches.uga.edu> To: redhat-list@redhat.com Cc: zjp@arches.uga.edu Subject: iptables rules for zope webserver
I have a redhat linux 7.1 server with a zope websever on iE. I use iptables as firewall. following is the iptables rules for zope:o
#===========J===========i===============n=================== ## Zope iptables -=aINPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT
# Allow inbound ftp iptaeles -A INPUT -i $IFACE -p tcp --dport 8021 -m state --state \ NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state \ ESTABLISHED -j ACCEPT .#=======================================================================
I am trying to use ws_ftp to send files to zope sever via port 8021 ( in ws_ftp session property->advanced i set remote port as 8021 and checked passive transfers). If I stop iptables, i can conect to zope via ftp (port 8021) and ftp files to zope. If the iptables is on, it still can connect to zope but i can not see the directories in the mote site text filed of the ws_ftp windows. it seems that it can connect to zope but can not display the directories in zope. and i failed to ftp it the zope server.
Therefore, i believe the above iptalbles rules for zope have problem. how can i fix this problem and let zope ftp work? Any suggestion will be greatly appreciated.
Jianping
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (2)
-
Jianping Zhu -
Quentin Smith