[Zope] iptables rules for zope webserver

Quentin Smith quentins@comclub.org
Mon, 2 Dec 2002 21:24:39 -0500 (EST) 

Hi-
Whoops.
That second example should read /sbin/modprobe, not /sbin/modprove. I 
always do that :)
--Quentin
On Mon, 2 Dec 2002, Quentin Smith wrote:

> Date: Mon, 2 Dec 2002 21:14:05 -0500 (EST)
> From: Quentin Smith <quentins@comclub.org>
> To: Jianping Zhu <zjp@arches.uga.edu>
> Cc: zope@zope.org, Jeff Sacksteder <jwsacksteder@ramprecision.com>
> Subject: RE: [Zope] iptables rules for  zope webserver
> 
> Hi-
> There is probably a line like this:
> /sbin/modprobe ip_conntrack_ftp
> This module handles passive and active FTP connections. Unfortunately, it 
> doesn't know that port 8021 is FTP - you need to tell it that it is. I 
> would recommend you do this-
> /sbin/modprove ip_conntrack_ftp ports=21,8021
> Then, you have to make sure that port 8021 is open on your firewall - 
> ip_conntrack_ftp will take care of opening the other ports.
> HTH,
> --Quentin
> 
> On Mon, 2 Dec 2002, Jianping Zhu wrote:
> 
> > Date: Mon, 2 Dec 2002 11:21:01 -0500 (EST)
> > From: Jianping Zhu <zjp@arches.uga.edu>
> > To: zope@zope.org
> > Cc: Jeff Sacksteder <jwsacksteder@ramprecision.com>
> > Subject: RE: [Zope] iptables rules for  zope webserver
> > 
> > Thank you for your advice, after i open the port 8022 the problem is still
> > there. This is that ws_ftp can connect to zope, but the directoris in zope  
> > can not be seen in the ws_ftp window. i checked the iptables rules for
> > regular ftp in my
> > iptables.rules. Thesre are several lines as following:(this rule is set up
> > by the privious administrator, and he has left)
> > 
> > -------------------------------------------------------------------------
> > # Passive inbound and outbound FTP
> > iptables -A INPUT  -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
> >  -m state --state ESTABLISHED,RELATED -j ACCEPT
> > iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORcS \
> >  -m state --state ESTABLISHED,RELATED -j ACCEPT
> > ------------------------------------------------------------------------
> > I did some experiment to this. The interesting thing is that if i comment
> > out this rules. regular ftp can
> > access my linux server but the directories in my linux server can not  
> > be seen. My guess is maybe i need some lines like that for zope ftp to let
> > passive tranfer mode work, but i do not how to do it. 
> > 
> > Any further suggestion will be appreciated.
> > 
> > 
> > Jianping  
> > 
> > 
> > 
> > On Mon, 2 Dec 2002, Jeff Sacksteder wrote:
> > 
> > > you need to allow port 8021 and 8022. 
> > > 
> > > iptables -A INPUT  -i $IFACE -p tcp --dport 8021 -m state --state
> > > NEW,ESTABLISHED -j ACCEPT
> > > iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state
> > > ESTABLISHED -j ACCEPT
> > > iptables -A INPUT  -i $IFACE -p tcp --dport 8022 -m state --state
> > > NEW,ESTABLISHED -j ACCEPT
> > > iptables -A OUTPUT -o $IFACE -p tcp --storc 8022 -m state --state
> > > ESTABLISHED -j ACCEPT
> > > 
> > > You might also consider writing them like this, I think it's easier to see
> > > what is happening.
> > > 
> > > iptables -A OUTPUT -o $IFACE -p tcp -m state --state  ESTABLISHED -j ACCEPT
> > > iptables -A INPUT  -i $IFACE -p tcp --dport 8021 -j ACCEPT
> > > iptables -A INPUT  -i $IFACE -p tcp --dport 8022 -j ACCEPT
> > > 
> > 
> > 
> > >>Date: Sun, 1DDec 2002 22:49:12 -0500 (EST)
> > >>From: Jianping Zhu <zjp@arches.uga.edu>
> > >>To: redhat-list@redhat.com
> > >>Cc: zjp@arches.uga.edu
> > >>Subject: iptables rules for  zope webserver
> > 
> > >>I have a redhat linux 7.1 server with a zope websever on iE. I use
> > >>iptables as firewall. following is the iptables rules for zope:o
> > 
> > >>#===========J===========i===============n===================
> > >>## Zope
> > >>iptables -=aINPUT -i $IFACE -p tcp --dport 8080 -j ACCEPT
> > 
> > >># Allow inbound ftp
> > >>iptaeles -A INPUT  -i $IFACE -p tcp --dport 8021 -m state --state \
> > >> NEW,ESTABLISHED -j ACCEPT
> > >>iptables -A OUTPUT -o $IFACE -p tcp --storc 8021 -m state --state \
> > >> ESTABLISHED -j ACCEPT
> > >.#=======================================================================
> > 
> > >>I am trying to use ws_ftp to send files to zope sever via port 8021 ( in
> > >>ws_ftp
> > >>session property->advanced i set remote port as 8021 and checked passive
> > >>transfers).  If I stop iptables, i can conect to zope via ftp (port
> > >>8021)
> > >>and ftp files to zope. If the iptables is on,  it still can connect to
> > >>zope but i can not see the directories in the mote site text filed of
> > >>the ws_ftp
> > >>windows. it seems that it can connect to zope but can not display the
> > >>directories in zope. and i failed to ftp it the zope server.
> > 
> > >>Therefore, i believe the above iptalbles rules for zope have problem.
> > >>how
> > >>can i
> > >>fix this problem and let zope ftp work?
> > >>Any suggestion will be greatly appreciated.
> > 
> > >>Jianping
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
>