Best of Technical Support
How to FTP through an iptables Firewall
I've been trying to configure iptables to work properly with
incoming SSH and FTP. For some reason, every time I want to FTP from a
remote site, I have to disable the POLICY for the INPUT chain. Can you
explain how to deal with this issue—configuring FTP and
iptables together without having to disable the policy? I'm running
Red Hat 8.0.
—
Ramiro Albarracin
ramiro@sergiolub.com
Without having your list of rules it is difficult to find the problem, but clearly some of the rules (in the INPUT chain) are preventing the traffic. Try adding LOG rules before each actual rule (in /var/log/messages) to see which one is causing the packets to stop. For example:
iptables -A INPUT -p TCP -s 0/0 -d 0/0 \ --dport ftp -j LOG --log-prefix "FTP :" iptables -A INPUT -p TCP -s 0/0 -d 0/0 \ --dport ftp -j ACCEPT
—
Mario Bittencourt
mneto@argo.com.br
You should read up on firewalling and FTP. Basically, FTP is a hard protocol to filter, and actually it's two protocols in one, depending on the client. Active FTP is not too hard to filter on the server side; you simply need to allow incoming connections on port 21 (the control connection). For passive FTP, however, the server doesn't open the data connection to the client; the client opens the data connection to you on some high TCP port (>1024). With iptables, you can make use of connection tracking, which opens only the one port used for that FTP connection:
iptables -A $IF -p tcp --dport ftp -j ACCEPT iptables -A $IF -p tcp --dport 1024:65535 \ -m state --state RELATED -j ACCEPT
You also have to load the ip_conntrack_ftp module for the above
to work (modprobe ip_conntrack_ftp).
—
Marc Merlin
marc_bts@google.com
Synchronize Your Watches
How can I manually time synchronize my computer? When I
install my distribution, Mandrake 9.0, it lets me choose an
NTP source, but I don't leave my machine powered on all the time.
How can I manually sync to be sure its happening?
—
Rick Shores
rshores@ispwest.com
Simply run ntpdate timeserver.
This command synchronizes your time to the
time server and also reports how far off
your clock was. You probably should follow this by
saving the time to your hardware clock to preserve
it if you reboot: hwclock --systohc.
—
Chad Robinson
crobinson@rfgonline.com
Dual-Boot System Skips LILO Menu
I had Red Hat 7.1 installed on my PC, with another
partition used for Microsoft Windows. I recently
re-installed Windows using mssetup.
When the system reboots I am not being asked whether
to switch to Windows or Linux. Now
the system starts up directly in Windows. Is there
some way to restore Linux?
—
Kunal S Doddanavar
kunal_s_d@indiatimes.com
Windows removed or disabled the Linux bootloader,
which is LILO on Red Hat 7.1. Boot with your
rescue floppy, mount your Linux root partition
with, for example, mount /dev/hda1 /mnt
and run lilo -R /mnt before rebooting. If you were
running GRUB, grub-install should do the trick.
—
Marc Merlin
marc_bts@google.com
On newer Red Hat distributions that use the
GRUB bootloader, boot from the rescue floppy and
re-install GRUB with grub-install.
If you didn't make a boot disk, boot with the
first install CD in rescue mode.
—
Christopher Wingert
cwingert@qualcomm.com
Cleaning Up Old Kernels
I am using Red Hat Network to upgrade my software
and keep it current. I have allowed the up2date
program to include my kernel. Now my /boot
partition is getting too full. How do I remove
some of the old kernels? I really don't think I
need five different kernels in /boot.
—
Bob Wooden
bobwooden@netwalk.com
Simply remove the undesired boot images. You could
run rpm -qa | grep kernel to find which kernel
packages you have installed, and use rpm -e to
remove the older ones. As a suggestion, keep at least two options, so that if
something goes wrong with the current one you have
a backup.
—
Mario Bittencourt
mneto@argo.com.br
This is not only okay, it is a good administration habit. You should
keep only useful kernels around, and generally only two are required: the
primary kernel file and a backup in case something happens to the primary.
Saving as many versions as you have is rarely necessary
unless you have special requirements, such as if you are developing and
testing kernel drivers.
—
Chad Robinson
crobinson@rfgonline.com
USB Flash Drive?
How do I mount a USB flash drive? I can see my flash drive when
I check /proc/bus/usb/devices/. When I run the hardware browser, it shows up
as hda4 (fat32), but I can't mount it or access the files.
—
Callum Benepe
callumb@yahoo.com
It looks like you do not have the usb-storage driver loaded, which is
needed for this device. Take a look at the Linux USB Guide at
www.linux-usb.org for more information on how to
load the proper drivers and mount the device.
—
Greg Kroah-Hartman
greg@kroah.com
Support for Intel Video?
My video card is a built-in Intel 82845G/GL that
fails with Linux (Red Hat 8.0). Linux probes it during
installation but fails to start up in graphic mode; startx shows a fatal
error.
—
Jafar Borhan
jafar_borhan@yahoo.com
Searching on Google, I found a page on
how to configure a system with this video card,
www.linuxcare.com/labs/certs/ibm/netvista-m42/rh80-config.epl.
Upgrade the listed packages, then run
Xconfigurator.
—
Marc Merlin
marc_bts@google.com
Connections Time Out
Telnet and SSH connections seem to time out and and I get
disconnected. I use tcsh for my shell, and the pty device I am logged
in on is listed in /etc/securetty. This is not an issue with autologout.
Even if I disable autologout, the connection still is dropped after about
an hour. When this happens, the user still is listed as being logged in
and the shell still is active. It has to be terminated by killing its process
ID.
—
Floyd Miller
floyd@studiodust.org
This smells of a firewall-level issue. In common NAT and masquerading
setups, if there is no traffic on a link for some time the router
will forget about the connection, assuming it was closed improperly.
This is because some clients do not issue closure requests correctly,
and it would be unwise to allow these stale connections to continue to
tie up kernel resources.
—
Chad Robinson
crobinson@rfgonline.com
You may be going through a NAT gateway that expires idle TCP connections after one hour of inactivity. Try (as root):
echo 600 > /proc/sys/net/ipv4/tcp_keepalive_time
Then, when you use SSH, you should ask for keepalive TCP packets to keep the connection up:
ssh -o 'KeepAlive=yes' targethost
—
Marc Merlin
marc_bts@google.com
You can save typing and put:
ProtocolKeepAlives 300in ~/.ssh/config to make SSH send keepalive packets for all connections every five minutes.
—
Don Marti
dmarti@ssc.com