[Zope] iptables rules for zope webserver
Quentin Smith
quentins@comclub.org
Mon, 2 Dec 2002 21:14:05 -0500 (EST)
Hi-
There is probably a line like this:
/sbin/modprobe ip_conntrack_ftp
This module handles passive and active FTP connections. Unfortunately, it
doesn't know that port 8021 is FTP - you need to tell it that it is. I
would recommend you do this-
/sbin/modprove ip_conntrack_ftp ports=21,8021
Then, you have to make sure that port 8021 is open on your firewall -
ip_conntrack_ftp will take care of opening the other ports.
HTH,
--Quentin
On Mon, 2 Dec 2002, Jianping Zhu wrote:
> Date: Mon, 2 Dec 2002 11:21:01 -0500 (EST)
> From: Jianping Zhu <zjp@arches.uga.edu>
> To: zope@zope.org
> Cc: Jeff Sacksteder <jwsacksteder@ramprecision.com>
> Subject: RE: [Zope] iptables rules for zope webserver
>
> Thank you for your advice, after i open the port 8022 the problem is still
> there. This is that ws_ftp can connect to zope, but the directoris in zope
> can not be seen in the ws_ftp window. i checked the iptables rules for
> regular ftp in my
> iptables.rules. Thesre are several lines as following:(this rule is set up
> by the privious administrator, and he has left)
>
> -------------------------------------------------------------------------
> # Passive inbound and outbound FTP
> iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
> -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORcS \
> -m state --state ESTABLISHED,RELATED -j ACCEPT
> ------------------------------------------------------------------------
> I did some experiment to this. The interesting thing is that if i comment
> out this rules. regular ftp can
> access my linux server but the directories in my linux server can not
> be seen. My guess is maybe i need some lines like that for zope ftp to let
> passive tranfer mode work, but i do not how to do it.
>
> Any further suggestion will be appreciated.
>
>
> Jianping
>
>
>
> On Mon, 2 Dec 2002, Jeff Sacksteder wrote:
>
> > you need to allow port 8021 and 8022.
> >
> > iptables -A INPUT -i $IFACE -p tcp --dport 8021 -m state --state
> > NEW,ESTABLISHED -j ACCEPT
> > iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state
> > ESTABLISHED -j ACCEPT
> > iptables -A INPUT -i $IFACE -p tcp --dport 8022 -m state --state
> > NEW,ESTABLISHED -j ACCEPT
> > iptables -A OUTPUT -o $IFACE -p tcp --storc 8022 -m state --state
> > ESTABLISHED -j ACCEPT
> >
> > You might also consider writing them like this, I think it's easier to see
> > what is happening.
> >
> > iptables -A OUTPUT -o $IFACE -p tcp -m state --state ESTABLISHED -j ACCEPT
> > iptables -A INPUT -i $IFACE -p tcp --dport 8021 -j ACCEPT
> > iptables -A INPUT -i $IFACE -p tcp --dport 8022 -j ACCEPT
> >
>
>
> >>Date: Sun, 1DDec 2002 22:49:12 -0500 (EST)
> >>From: Jianping Zhu <zjp@arches.uga.edu>
> >>To: redhat-list@redhat.com
> >>Cc: zjp@arches.uga.edu
> >>Subject: iptables rules for zope webserver
>
> >>I have a redhat linux 7.1 server with a zope websever on iE. I use
> >>iptables as firewall. following is the iptables rules for zope:o
>
> >>#===========J===========i===============n===================
> >>## Zope
> >>iptables -=aINPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT
>
> >># Allow inbound ftp
> >>iptaeles -A INPUT -i $IFACE -p tcp --dport 8021 -m state --state \
> >> NEW,ESTABLISHED -j ACCEPT
> >>iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state \
> >> ESTABLISHED -j ACCEPT
> >.#=======================================================================
>
> >>I am trying to use ws_ftp to send files to zope sever via port 8021 ( in
> >>ws_ftp
> >>session property->advanced i set remote port as 8021 and checked passive
> >>transfers). If I stop iptables, i can conect to zope via ftp (port
> >>8021)
> >>and ftp files to zope. If the iptables is on, it still can connect to
> >>zope but i can not see the directories in the mote site text filed of
> >>the ws_ftp
> >>windows. it seems that it can connect to zope but can not display the
> >>directories in zope. and i failed to ftp it the zope server.
>
> >>Therefore, i believe the above iptalbles rules for zope have problem.
> >>how
> >>can i
> >>fix this problem and let zope ftp work?
> >>Any suggestion will be greatly appreciated.
>
> >>Jianping