Best of Technical Support

How to FTP through an iptables Firewall

I've been trying to configure iptables to work properly with incoming SSH and FTP. For some reason, every time I want to FTP from a remote site, I have to disable the POLICY for the INPUT chain. Can you explain how to deal with this issue—configuring FTP and iptables together without having to disable the policy? I'm running Red Hat 8.0.


Ramiro Albarracin


ramiro@sergiolub.com

Without having your list of rules it is difficult to find the problem, but clearly some of the rules (in the INPUT chain) are preventing the traffic. Try adding LOG rules before each actual rule (in /var/log/messages) to see which one is causing the packets to stop. For example:

iptables -A INPUT -p TCP -s 0/0 -d 0/0  \
--dport ftp -j LOG --log-prefix  "FTP :"
iptables -A INPUT -p TCP -s 0/0 -d 0/0  \
--dport ftp -j ACCEPT



Mario Bittencourt


mneto@argo.com.br

You should read up on firewalling and FTP. Basically, FTP is a hard protocol to filter, and actually it's two protocols in one, depending on the client. Active FTP is not too hard to filter on the server side; you simply need to allow incoming connections on port 21 (the control connection). For passive FTP, however, the server doesn't open the data connection to the client; the client opens the data connection to you on some high TCP port (>1024). With iptables, you can make use of connection tracking, which opens only the one port used for that FTP connection:

iptables -A $IF -p tcp --dport ftp -j ACCEPT
iptables -A $IF -p tcp --dport 1024:65535 \
-m state --state RELATED -j ACCEPT

You also have to load the ip_conntrack_ftp module for the above to work (modprobe ip_conntrack_ftp).


Marc Merlin


marc_bts@google.com

Synchronize Your Watches

How can I manually time synchronize my computer? When I install my distribution, Mandrake 9.0, it lets me choose an NTP source, but I don't leave my machine powered on all the time. How can I manually sync to be sure its happening?


Rick Shores


rshores@ispwest.com

Simply run ntpdate timeserver. This command synchronizes your time to the time server and also reports how far off your clock was. You probably should follow this by saving the time to your hardware clock to preserve it if you reboot: hwclock --systohc.


Chad Robinson


crobinson@rfgonline.com

Dual-Boot System Skips LILO Menu

I had Red Hat 7.1 installed on my PC, with another partition used for Microsoft Windows. I recently re-installed Windows using mssetup. When the system reboots I am not being asked whether to switch to Windows or Linux. Now the system starts up directly in Windows. Is there some way to restore Linux?


Kunal S Doddanavar


kunal_s_d@indiatimes.com

Windows removed or disabled the Linux bootloader, which is LILO on Red Hat 7.1. Boot with your rescue floppy, mount your Linux root partition with, for example, mount /dev/hda1 /mnt and run lilo -R /mnt before rebooting. If you were running GRUB, grub-install should do the trick.


Marc Merlin


marc_bts@google.com

On newer Red Hat distributions that use the GRUB bootloader, boot from the rescue floppy and re-install GRUB with grub-install. If you didn't make a boot disk, boot with the first install CD in rescue mode.


Christopher Wingert


cwingert@qualcomm.com

Cleaning Up Old Kernels

I am using Red Hat Network to upgrade my software and keep it current. I have allowed the up2date program to include my kernel. Now my /boot partition is getting too full. How do I remove some of the old kernels? I really don't think I need five different kernels in /boot.


Bob Wooden


bobwooden@netwalk.com

Simply remove the undesired boot images. You could run rpm -qa | grep kernel to find which kernel packages you have installed, and use rpm -e to remove the older ones. As a suggestion, keep at least two options, so that if something goes wrong with the current one you have a backup.


Mario Bittencourt


mneto@argo.com.br

This is not only okay, it is a good administration habit. You should keep only useful kernels around, and generally only two are required: the primary kernel file and a backup in case something happens to the primary. Saving as many versions as you have is rarely necessary unless you have special requirements, such as if you are developing and testing kernel drivers.


Chad Robinson


crobinson@rfgonline.com

USB Flash Drive?

How do I mount a USB flash drive? I can see my flash drive when I check /proc/bus/usb/devices/. When I run the hardware browser, it shows up as hda4 (fat32), but I can't mount it or access the files.


Callum Benepe


callumb@yahoo.com

It looks like you do not have the usb-storage driver loaded, which is needed for this device. Take a look at the Linux USB Guide at www.linux-usb.org for more information on how to load the proper drivers and mount the device.


Greg Kroah-Hartman


greg@kroah.com

Support for Intel Video?

My video card is a built-in Intel 82845G/GL that fails with Linux (Red Hat 8.0). Linux probes it during installation but fails to start up in graphic mode; startx shows a fatal error.


Jafar Borhan


jafar_borhan@yahoo.com

Searching on Google, I found a page on how to configure a system with this video card, www.linuxcare.com/labs/certs/ibm/netvista-m42/rh80-config.epl. Upgrade the listed packages, then run Xconfigurator.


Marc Merlin


marc_bts@google.com

Connections Time Out

Telnet and SSH connections seem to time out and and I get disconnected. I use tcsh for my shell, and the pty device I am logged in on is listed in /etc/securetty. This is not an issue with autologout. Even if I disable autologout, the connection still is dropped after about an hour. When this happens, the user still is listed as being logged in and the shell still is active. It has to be terminated by killing its process ID.


Floyd Miller


floyd@studiodust.org

This smells of a firewall-level issue. In common NAT and masquerading setups, if there is no traffic on a link for some time the router will forget about the connection, assuming it was closed improperly. This is because some clients do not issue closure requests correctly, and it would be unwise to allow these stale connections to continue to tie up kernel resources.


Chad Robinson


crobinson@rfgonline.com

You may be going through a NAT gateway that expires idle TCP connections after one hour of inactivity. Try (as root):

echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time

Then, when you use SSH, you should ask for keepalive TCP packets to keep the connection up:

ssh -o 'KeepAlive=yes' targethost



Marc Merlin


marc_bts@google.com

You can save typing and put:

ProtocolKeepAlives 300
in ~/.ssh/config to make SSH send keepalive packets for all connections every five minutes.


Don Marti


info@linuxjournal.com