请教 iptables 导致 ftp 不能 get 的问题（问题解决，正在研究原理）

softstar8028

linux操作系统是 Red Hat Enterprise Linux Server release 5.3 (Tikanga)
FTP安装在windows2003 server上，使用的是Serv—U 9.4.0.0  
ftp端口默认是21
iptables设置如下：
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

启用iptables后，就不能从ftp上get文件，
关闭iptables后，就可以正常从ftp上get文件了。

请问，是需要在iptables中 配置get文件的端口吗？

taojie2000

回复 1# softstar8028


    防火墙里 开放对应端口就行!@

renxiao2003

21端口开了没有？20也开吧。

chenyx

没道理啊,ftp在windows上,与Linux的iptables什么关系啊

softstar8028

windows下的21端口和20端口都开了，linux下不用开吧。

softstar8028

开着iptables时，使用
tcpdump -i eth0 host 156.156.133.143 and port 21
抓包：结果如下：

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:00:06.652101 IP localhost.35127 > localhost.ftp: S 1273421136:1273421136(0) win 5840 <mss 1460,sackOK,timestamp 938975448 0,nop,wscale 7>
14:00:06.652448 IP localhost.ftp > localhost.35127: S 2270442675:2270442675(0) ack 1273421137 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
14:00:06.652464 IP localhost.35127 > localhost.ftp: . ack 1 win 46 <nop,nop,timestamp 938975449 0>
14:00:06.656068 IP localhost.ftp > localhost.35127: P 1:38(37) ack 1 win 17520 <nop,nop,timestamp 767610 938975448>
14:00:06.656095 IP localhost.35127 > localhost.ftp: . ack 38 win 46 <nop,nop,timestamp 938975452 767610>
14:00:06.656151 IP localhost.35127 > localhost.ftp: P 1:16(15) ack 38 win 46 <nop,nop,timestamp 938975452 767610>
14:00:06.661108 IP localhost.ftp > localhost.35127: P 38:74(36) ack 16 win 17505 <nop,nop,timestamp 767610 938975452>
14:00:06.661208 IP localhost.35127 > localhost.ftp: P 16:38(22) ack 74 win 46 <nop,nop,timestamp 938975457 767610>
14:00:06.664404 IP localhost.ftp > localhost.35127: P 74:104(30) ack 38 win 17483 <nop,nop,timestamp 767610 938975457>
14:00:06.664591 IP localhost.35127 > localhost.ftp: P 38:45(7) ack 104 win 46 <nop,nop,timestamp 938975461 767610>
14:00:06.666863 IP localhost.ftp > localhost.35127: P 104:132( 28 ) ack 45 win 17476 <nop,nop,timestamp 767610 938975461>
14:00:06.666963 IP localhost.35127 > localhost.ftp: P 45:53( 8 ) ack 132 win 46 <nop,nop,timestamp 938975463 767610>
14:00:06.667658 IP localhost.ftp > localhost.35127: P 132:152(20) ack 53 win 17468 <nop,nop,timestamp 767610 938975463>
14:00:06.668017 IP localhost.35127 > localhost.ftp: P 53:75(22) ack 152 win 46 <nop,nop,timestamp 938975464 767610>
14:00:06.670987 IP localhost.ftp > localhost.35127: P 152:195(43) ack 75 win 17446 <nop,nop,timestamp 767610 938975464>
14:00:06.671163 IP localhost.35127 > localhost.ftp: P 75:99(24) ack 195 win 46 <nop,nop,timestamp 938975467 767610>
14:00:06.671871 IP localhost.ftp > localhost.35127: P 195:225(30) ack 99 win 17422 <nop,nop,timestamp 767610 938975467>
14:00:06.671960 IP localhost.35127 > localhost.ftp: P 99:115(16) ack 225 win 46 <nop,nop,timestamp 938975468 767610>
14:00:06.678523 IP localhost.ftp > localhost.35127: P 225:294(69) ack 115 win 17406 <nop,nop,timestamp 767610 938975468>
14:00:06.718495 IP localhost.35127 > localhost.ftp: . ack 294 win 46 <nop,nop,timestamp 938975515 767610>
14:00:27.823179 IP localhost.ftp > localhost.35127: P 294:328(34) ack 115 win 17406 <nop,nop,timestamp 767822 938975515>
14:00:27.823200 IP localhost.35127 > localhost.ftp: . ack 328 win 46 <nop,nop,timestamp 938996620 767822>

关闭防火墙后：
我抓了一下包：tcpdump -i eth0 host 156.156.133.143 and port 21
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:57:33.985874 IP localhost.35125 > localhost.ftp: S 1114694053:1114694053(0) win 5840 <mss 1460,sackOK,timestamp 938822780 0,nop,wscale 7>
13:57:33.986234 IP localhost.ftp > localhost.35125: S 2017331669:2017331669(0) ack 1114694054 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
13:57:33.986249 IP localhost.35125 > localhost.ftp: . ack 1 win 46 <nop,nop,timestamp 938822781 0>
13:57:33.989948 IP localhost.ftp > localhost.35125: P 1:38(37) ack 1 win 17520 <nop,nop,timestamp 766083 938822780>
13:57:33.990027 IP localhost.35125 > localhost.ftp: . ack 38 win 46 <nop,nop,timestamp 938822784 766083>
13:57:33.990092 IP localhost.35125 > localhost.ftp: P 1:16(15) ack 38 win 46 <nop,nop,timestamp 938822784 766083>
13:57:33.995128 IP localhost.ftp > localhost.35125: P 38:74(36) ack 16 win 17505 <nop,nop,timestamp 766083 938822784>
13:57:33.995293 IP localhost.35125 > localhost.ftp: P 16:38(22) ack 74 win 46 <nop,nop,timestamp 938822790 766083>
13:57:33.998499 IP localhost.ftp > localhost.35125: P 74:104(30) ack 38 win 17483 <nop,nop,timestamp 766083 938822790>
13:57:33.998635 IP localhost.35125 > localhost.ftp: P 38:45(7) ack 104 win 46 <nop,nop,timestamp 938822793 766083>
13:57:34.000892 IP localhost.ftp > localhost.35125: P 104:132( 28 ) ack 45 win 17476 <nop,nop,timestamp 766083 938822793>
13:57:34.000993 IP localhost.35125 > localhost.ftp: P 45:53( 8 ) ack 132 win 46 <nop,nop,timestamp 938822795 766083>
13:57:34.001702 IP localhost.ftp > localhost.35125: P 132:152(20) ack 53 win 17468 <nop,nop,timestamp 766083 938822795>
13:57:34.002095 IP localhost.35125 > localhost.ftp: P 53:75(22) ack 152 win 46 <nop,nop,timestamp 938822796 766083>
13:57:34.005065 IP localhost.ftp > localhost.35125: P 152:195(43) ack 75 win 17446 <nop,nop,timestamp 766083 938822796>
13:57:34.005274 IP localhost.35125 > localhost.ftp: P 75:99(24) ack 195 win 46 <nop,nop,timestamp 938822799 766083>
13:57:34.006039 IP localhost.ftp > localhost.35125: P 195:225(30) ack 99 win 17422 <nop,nop,timestamp 766083 938822799>
13:57:34.006147 IP localhost.35125 > localhost.ftp: P 99:115(16) ack 225 win 46 <nop,nop,timestamp 938822800 766083>
13:57:34.012840 IP localhost.ftp > localhost.35125: P 225:294(69) ack 115 win 17406 <nop,nop,timestamp 766084 938822800>
13:57:34.052307 IP localhost.35125 > localhost.ftp: . ack 294 win 46 <nop,nop,timestamp 938822847 766084>
13:57:34.052454 IP localhost.ftp > localhost.35125: P 294:356(62) ack 115 win 17406 <nop,nop,timestamp 766084 938822847>
13:57:34.052543 IP localhost.35125 > localhost.ftp: . ack 356 win 46 <nop,nop,timestamp 938822847 766084>
13:57:34.053299 IP localhost.35125 > localhost.ftp: P 115:137(22) ack 356 win 46 <nop,nop,timestamp 938822848 766084>
13:57:34.056377 IP localhost.ftp > localhost.35125: P 356:399(43) ack 137 win 17384 <nop,nop,timestamp 766084 938822848>
13:57:34.056518 IP localhost.35125 > localhost.ftp: P 137:160(23) ack 399 win 46 <nop,nop,timestamp 938822851 766084>
13:57:34.057384 IP localhost.ftp > localhost.35125: P 399:429(30) ack 160 win 17361 <nop,nop,timestamp 766084 938822851>
13:57:34.057449 IP localhost.35125 > localhost.ftp: P 160:176(16) ack 429 win 46 <nop,nop,timestamp 938822852 766084>
13:57:34.060098 IP localhost.ftp > localhost.35125: P 429:489(60) ack 176 win 17345 <nop,nop,timestamp 766084 938822852>
13:57:34.060585 IP localhost.35125 > localhost.ftp: P 176:182(6) ack 489 win 46 <nop,nop,timestamp 938822855 766084>
13:57:34.061288 IP localhost.ftp > localhost.35125: P 489:520(31) ack 182 win 17339 <nop,nop,timestamp 766084 938822855>
13:57:34.061328 IP localhost.35125 > localhost.ftp: F 182:182(0) ack 520 win 46 <nop,nop,timestamp 938822856 766084>
13:57:34.061464 IP localhost.ftp > localhost.35125: . ack 183 win 17339 <nop,nop,timestamp 766084 938822856>
13:57:34.061495 IP localhost.ftp > localhost.35125: R 520:520(0) ack 183 win 0
13:57:34.087684 IP localhost.35126 > localhost.ftp: S 1116349755:1116349755(0) win 5840 <mss 1460,sackOK,timestamp 938822882 0,nop,wscale 7>
13:57:34.087818 IP localhost.ftp > localhost.35126: S 1525898079:1525898079(0) ack 1116349756 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK>
13:57:34.087828 IP localhost.35126 > localhost.ftp: . ack 1 win 46 <nop,nop,timestamp 938822882 0>
13:57:34.091116 IP localhost.ftp > localhost.35126: P 1:38(37) ack 1 win 17520 <nop,nop,timestamp 766084 938822882>
13:57:34.091272 IP localhost.35126 > localhost.ftp: . ack 38 win 46 <nop,nop,timestamp 938822885 766084>
13:57:34.091319 IP localhost.35126 > localhost.ftp: P 1:16(15) ack 38 win 46 <nop,nop,timestamp 938822886 766084>
13:57:34.096087 IP localhost.ftp > localhost.35126: P 38:74(36) ack 16 win 17505 <nop,nop,timestamp 766084 938822886>
13:57:34.096375 IP localhost.35126 > localhost.ftp: P 16:38(22) ack 74 win 46 <nop,nop,timestamp 938822891 766084>
13:57:34.099501 IP localhost.ftp > localhost.35126: P 74:104(30) ack 38 win 17483 <nop,nop,timestamp 766084 938822891>
13:57:34.099603 IP localhost.35126 > localhost.ftp: P 38:45(7) ack 104 win 46 <nop,nop,timestamp 938822894 766084>
13:57:34.101824 IP localhost.ftp > localhost.35126: P 104:132( 28 ) ack 45 win 17476 <nop,nop,timestamp 766084 938822894>
13:57:34.101915 IP localhost.35126 > localhost.ftp: P 45:53( 8 ) ack 132 win 46 <nop,nop,timestamp 938822896 766084>
13:57:34.102563 IP localhost.ftp > localhost.35126: P 132:152(20) ack 53 win 17468 <nop,nop,timestamp 766084 938822896>
13:57:34.102824 IP localhost.35126 > localhost.ftp: P 53:75(22) ack 152 win 46 <nop,nop,timestamp 938822897 766084>
13:57:34.105783 IP localhost.ftp > localhost.35126: P 152:195(43) ack 75 win 17446 <nop,nop,timestamp 766084 938822897>
13:57:34.105890 IP localhost.35126 > localhost.ftp: P 75:99(24) ack 195 win 46 <nop,nop,timestamp 938822900 766084>
13:57:34.106582 IP localhost.ftp > localhost.35126: P 195:225(30) ack 99 win 17422 <nop,nop,timestamp 766084 938822900>
13:57:34.106624 IP localhost.35126 > localhost.ftp: P 99:115(16) ack 225 win 46 <nop,nop,timestamp 938822901 766084>
13:57:34.113230 IP localhost.ftp > localhost.35126: P 225:294(69) ack 115 win 17406 <nop,nop,timestamp 766084 938822901>
13:57:34.152472 IP localhost.35126 > localhost.ftp: . ack 294 win 46 <nop,nop,timestamp 938822947 766084>
13:57:34.152608 IP localhost.ftp > localhost.35126: P 294:356(62) ack 115 win 17406 <nop,nop,timestamp 766085 938822947>
13:57:34.152657 IP localhost.35126 > localhost.ftp: . ack 356 win 46 <nop,nop,timestamp 938822947 766085>
13:57:34.153302 IP localhost.35126 > localhost.ftp: P 115:137(22) ack 356 win 46 <nop,nop,timestamp 938822948 766085>
13:57:34.156257 IP localhost.ftp > localhost.35126: P 356:399(43) ack 137 win 17384 <nop,nop,timestamp 766085 938822948>
13:57:34.156439 IP localhost.35126 > localhost.ftp: P 137:161(24) ack 399 win 46 <nop,nop,timestamp 938822951 766085>
13:57:34.157246 IP localhost.ftp > localhost.35126: P 399:429(30) ack 161 win 17360 <nop,nop,timestamp 766085 938822951>
13:57:34.157313 IP localhost.35126 > localhost.ftp: P 161:177(16) ack 429 win 46 <nop,nop,timestamp 938822952 766085>
13:57:34.159975 IP localhost.ftp > localhost.35126: P 429:489(60) ack 177 win 17344 <nop,nop,timestamp 766085 938822952>
13:57:34.160379 IP localhost.35126 > localhost.ftp: P 177:183(6) ack 489 win 46 <nop,nop,timestamp 938822955 766085>
13:57:34.161072 IP localhost.ftp > localhost.35126: P 489:520(31) ack 183 win 17338 <nop,nop,timestamp 766085 938822955>
13:57:34.161154 IP localhost.35126 > localhost.ftp: F 183:183(0) ack 520 win 46 <nop,nop,timestamp 938822955 766085>
13:57:34.161334 IP localhost.ftp > localhost.35126: . ack 184 win 17338 <nop,nop,timestamp 766085 938822955>
13:57:34.161357 IP localhost.ftp > localhost.35126: R 520:520(0) ack 184 win 0


对应ftp的log如下：
16:41:28 - 域已启动
16:41:28 - FTP 服务器正在监听端口号 21, IP 156.156.133.144
16:50:20 - (000001) 已连接到 156.156.133.143 (本地地址 156.156.133.144，端口 21)
16:50:20 - (000001) IP-名称： ftp8 (156.156.133.143)
16:50:21 - (000001) 用户 "filesenter" 已登录
16:50:21 - (000001) 正在发送文件 "E:\app_file_srv\file_app\RTRes\WebRoot\res_base\article_content\125_1.txt"
17:00:42 - (000001) 会话空闲超时
17:00:42 - (000001) 会话已关闭
17:00:42 - (000001) 用户 "filesenter" 已注销
17:07:36 - (000002) 已连接到 156.156.133.143 (本地地址 156.156.133.144，端口 21)
17:07:36 - (000002) IP-名称： ftp8 (156.156.133.143)
17:07:36 - (000002) 用户 "filesenter" 已登录
17:07:36 - (000002) 正在发送文件 "E:\app_file_srv\file_app\RTRes\WebRoot\res_base\article_content\125_1.txt"
17:17:58 - (000002) 会话空闲超时
17:17:58 - (000002) 会话已关闭
17:17:58 - (000002) 用户 "filesenter" 已注销
17:27:23 - (000003) 已连接到 156.156.133.143 (本地地址 156.156.133.144，端口 21)
17:27:23 - (000003) IP-名称： ftp8 (156.156.133.143)
17:27:42 - (000003) 用户 "filesenter" 已登录
17:28:29 - (000003) 正在发送文件 "E:\app_file_srv\file_app\RTRes\WebRoot\res_base\article_content\125_1.txt"
17:28:29 - (000003) 已成功发送文件 "E:\app_file_srv\file_app\RTRes\WebRoot\res_base\article_content\125_1.txt" (1.20 KB/秒 - 1,224 字节)
17:29:14 - (000003) 用户 "filesenter" 已注销
17:29:14 - (000003) 会话已关闭

taojie2000

sorry  没仔细看 是win 的 FTP  !

你linux 相当于客户机  那就是 随机较大的端口和FTP 通信吧!

;linux防火墙开放的端口 不多  所以....

softstar8028

因为对iptables不太熟，iptables所在的机器 连接WINDOWS下的 ftp时，是用的随机端口，我是不是需要把大于1024的端口都放开啊？但这样是不是就起不到防火墙的作用了？

taojie2000

回复 8# softstar8028


    嗯  开放太多不安全    这就是ftp主动 被动 都有利弊!

    看你这linux系统是干吗的了? 如果不是做服务器的也就没必要担心防火墙了!

cst05001

楼主，ftp服务时一种多端口服务。所以你的iptables很有问题。

请参考
http://www.google.com.hk/search? ... lla:zh-CN