1、先运行vsftpd服务:
% service vsftpd start
2、通过iptables开放21号端口
(1) 先查看iptables设置:
% iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited //如果不满足以上规则,则统统reject;
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(2) 将21号端口插入到INPUT的ACCEPT中
% iptables -I INPUT 5 -p tcp --dport 21 -j ACCEPT
## rulenum为5 ,在INPUT中REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited之前
(3)插入到INPUT的ACCEPT后查看
% iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
3、 在客户端上telnet ip 21,验证
关键点:一定要将插入的规则放在REJECT all – 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 之前,否则不会起作用!!
解决ftp上传失败问题:vsftpd默认是不可写的,需要修改配置文件
% vim /etc/vsftpd.conf
write_eable = YES
!!重启vsftpd服务
/etc/init.d/vsftpd restart 或者
service vsftpd restart