• Registered: 2009-02-11
  • Posts: 2

Topic: FTP blocked for authenticated users

I was under the impression that ChilliSpot controls access via the tun0 interface, and allows connections on all ports through for authenticated users.  However, my authenticated users cannot access FTP.  Would this be a firewall issue, and if so could someone recommend what rule(s) I need to add to allow FTP for authenticated users.  HTTP & HTTPS works fine for these users.  Thanks for any comments.

My iptables firewall script is below.


IPTABLES="/usr/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

# Flush (Delete) any previous rules (all default tables):

#Flush the 'filter' table
$IPTABLES -F -t filter
#Flush the 'nat' table
$IPTABLES -F -t nat
#Flush the 'mangle' table
$IPTABLES -F -t mangle
#Flush the 'raw' table
$IPTABLES -F -t raw

# Default policies ('filter' table)
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Append the following rules to the 'filter' (default) table:

# Allow related and established on all interfaces (input).
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow SSH (on custom port: 49155) on external interface $EXTIF
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 49155 --syn -j ACCEPT
# Allow HTTP on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 --syn -j ACCEPT
# Allow HTTPS on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 443 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp -m udp --dport 443 -j ACCEPT
# Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -j REJECT

# Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

# Allow HTTP and HTTPS on ChilliSpot VLAN (tun0) (This traffic terminates at
#   the Apache web server.):
# Allow HTTP on ChilliSpot VLAN (tun0)
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
# Allow HTTPS on ChilliSpot VLAN (tun0)
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 443 -j ACCEPT
# Allow HTTP on 3990 (ChilliSpot web server's custom port) on ChilliSpot VLAN
#   (tun0)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
# Allow SSH on ChilliSpot VLAN (tun0) (on custom port: 49155), for testing.
$IPTABLES -A INPUT -p tcp -m tcp --dport 49155 --syn -j ACCEPT
# Allow unauthenticated users, on the ChilliSpot VLAN (tun0), to ping the server.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow everything on loopback interface (127.0.0.1).
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
#   ChilliSpot NOTE: This means that access points can only be managed from
#     ChilliSpot.
# Lock down rules - All forwarding goes through ChilliSpot. This allows it to
#   control user's access to the Net via its VLAN.
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

# Append the following rule to the 'nat' table:

# Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Enable IP Forwarding in the Kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

  • Registered: 2008-02-04
  • Posts: 15

Re: FTP blocked for authenticated users

try to add port 21 to be accept or allowed into you iptables configuration