IPTables is blocking FTP for VMs

Question

I have a CentOS 5 SolusVM Node setup and running. The VPS units are running fine and everything seems to be working. Until yesterday when I found no single VPS could be accessed through FTP. I checked and double checked the VPS unit's configs for FTP. It's all good.

I can even connect to each single VPS units FTP from the main Node by doing this:

ftp IP
User:
Pass:

It connects and does a directory listing just fine. But if from any other machine outside of the Node I try to connect to an FTP inside the node it just doesn't work. It times out on Directory Listing:

425 Unable to build data connection: No route to host

Now, I've tried disabling the IPTables inside each VPS, doesn't fix anything. And since the Node can connect just fine, that can't be it.

So I checked IPTables on the Node to see what was happening there. If I disable the Host Node's IPTables, FTP works from anywhere to any VPS!

service iptables stop

So I checked the IPTables ruleset and this is the strangest part. IPTables has two rulesets!

If I run:

iptables -L

I get one ruleset:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
SOLUSVM_TRAFFIC_IN  all  --  anywhere             anywhere            
SOLUSVM_TRAFFIC_OUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain SOLUSVM_TRAFFIC_IN (1 references)
target     prot opt source               destination         
           all  --  anywhere             worldopportunitiesunlimited.com 
           all  --  anywhere             worldopportunitiesunlimited.com 

Chain SOLUSVM_TRAFFIC_OUT (1 references)
target     prot opt source               destination         
           all  --  worldopportunitiesunlimited.com  anywhere            
           all  --  worldopportunitiesunlimited.com  anywhere

That domain that shows up, I have no clue what that domain is, I've never seen it before. So I ran a grep for that domain inside of /etc/sysconfig and didn't find anything with that domain.

So then I ran:

service iptables status

This command gave me the standard IPTables ruleset for SolusVM:

Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Table: mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         

Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    SOLUSVM_TRAFFIC_IN  all  --  0.0.0.0/0            0.0.0.0/0           
2    SOLUSVM_TRAFFIC_OUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain SOLUSVM_TRAFFIC_IN (1 references)
num  target     prot opt source               destination         
1               all  --  0.0.0.0/0            IP1        
2               all  --  0.0.0.0/0            IP2

Chain SOLUSVM_TRAFFIC_OUT (1 references)
num  target     prot opt source               destination         
1               all  --  IP1         0.0.0.0/0           
2               all  --  IP2         0.0.0.0/0

If I run iptables -F it flushes fine. But FTP doesn't run still. FTP is only accessible if I run service iptables stop.

Now, when I restart IPTables here is the list of modules that shows up:

Loading additional iptables modules: ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_ow

When I restart IPTables that first ruleset comes back even after flushing it.

I checked the file /etc/sysconfig/iptables and it has the second ruleset in it. I've also tried iptables-restore < /etc/sysconfig/iptables but this doesn't seem to replace the first weird ruleset.

All of this being said, this machine has only ever been accessed by me. It is a brand new install two days ago.

EDIT

# Generated by iptables-save v1.3.5 on Tue Feb 11 07:21:08 2014
*filter
:INPUT ACCEPT [17254:1825032]
:FORWARD ACCEPT [735270:692897288]
:OUTPUT ACCEPT [19783:3216097]
:SOLUSVM_TRAFFIC_IN - [0:0]
:SOLUSVM_TRAFFIC_OUT - [0:0]
-A FORWARD -j SOLUSVM_TRAFFIC_IN 
-A FORWARD -j SOLUSVM_TRAFFIC_OUT 
-A SOLUSVM_TRAFFIC_IN -d IP1 
-A SOLUSVM_TRAFFIC_IN -d IP2 
-A SOLUSVM_TRAFFIC_OUT -s IP1 
-A SOLUSVM_TRAFFIC_OUT -s IP2 
COMMIT
# Completed on Tue Feb 11 07:21:08 2014
# Generated by iptables-save v1.3.5 on Tue Feb 11 07:21:08 2014
*mangle
:PREROUTING ACCEPT [751388:694616048]
:INPUT ACCEPT [17254:1825032]
:FORWARD ACCEPT [735270:692897288]
:OUTPUT ACCEPT [19785:3216361]
:POSTROUTING ACCEPT [755055:696113649]
COMMIT
# Completed on Tue Feb 11 07:21:08 2014
# Generated by iptables-save v1.3.5 on Tue Feb 11 07:21:08 2014
*nat
:PREROUTING ACCEPT [21350:1445366]
:POSTROUTING ACCEPT [21818:1488532]
:OUTPUT ACCEPT [1876:127401]
COMMIT
# Completed on Tue Feb 11 07:21:08 2014

use iptables -nvL so you'll see the ip instead of worldunitedetcetc.com. However, as your default policy is ACCEPT, none of this should matter, so I dont think any iptables rules would block or help. So, are all the other services available from outside your network on your VPS? — Semirke, Feb 11 '14 at 14:23
It is IPTables. Because when I shutdown IPTables on the host node it works. So it has to be IPTables. If it wasn't IPTables it wouldn't work when I shutdown IPTables on the host. — jfreak53, Feb 11 '14 at 14:36
All services are available; SSH, HTTP, HTTPS, Webmin (Port 10000). — jfreak53, Feb 11 '14 at 14:36
We need more details. Please modify your question by adding the output of `iptables-save`. — pepoluan, Feb 11 '14 at 18:18
I must be misreading these iptables statements but it looks like iptables is doing nothing but allowing all traffic through... — Daniel Widrick, Feb 11 '14 at 19:08
I know, they don't look like they are causing problems. But there is no other explanation I can think of, if I turn off IPTables it works. With IPTables on it doesn't. So unless you can think of another reason why IPTables turning off is causing the fixing but yet it's not IPTables fault then I'm stumped. — jfreak53, Feb 11 '14 at 20:27

score 0 · Accepted Answer · answered Feb 11 '14 at 22:16

SolusVM loads a bunch of modules that only OpenVZ needs, but Xen units do not need. To fix this edit the file `/etc/sysconfig/iptables-config' and remove this line:

IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp ipt_owner ipt_REDIRECT"

And replaced it with this line:

IPTABLES_MODULES="ip_conntrack_netbios_ns"

Once done restart IPTables:

service iptables restart

This fixed the problem.

Credits: Passive FTP and SolusVM

IPTables is blocking FTP for VMs

1 Answers1