Could not connect FileZilla explicit TLS or plain FTP. Flushed IPTables - restarted fail2ban and all FTP worked. Started Baseline, which I was using when FTP did not connect, and FTP failed to connect again. Explicit TLS uses port 21. How do I open port 21 in IPTables? I tried inserting "-A INPUT -p tcp --dport 21 -j ACCEPT" but it did not work Your help would be appreciated. Bellow is current IPTables: # Generated by iptables-save v1.4.21 on Wed Nov 22 12:02:32 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [62:6716] :INT_IN - [0:0] :INT_OUT - [0:0] AROLE - [0:0] UB_IN - [0:0] UB_OUT - [0:0] :fail2ban-apache - [0:0] :fail2ban-apache-nohome - [0:0] :fail2ban-apache-overflows - [0:0] :fail2ban-dovecot-pop3imap - [0:0] :fail2ban-php-url-fopen - [0:0] :fail2ban-postfix-sasl - [0:0] :fail2ban-pureftpd - [0:0] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap -A INPUT -p tcp -m multiport --dports 25 -j fail2ban-postfix-sasl -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache -A INPUT -p tcp -m multiport --dports 21 -j fail2ban-pureftpd -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-php-url-fopen -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-nohome -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -d 127.0.0.0/8 ! -i lo -p tcp -j DROP -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 224.0.0.0/4 -j DROP -A INPUT -i eth+ -j PUB_IN -A INPUT -i ppp+ -j PUB_IN -A INPUT -i slip+ -j PUB_IN -A INPUT -i venet+ -j PUB_IN -A INPUT -i bond+ -j PUB_IN -A INPUT -i en+ -j PUB_IN -A INPUT -j DROP -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j DROP -A OUTPUT -o eth+ -j PUB_OUT -A OUTPUT -o ppp+ -j PUB_OUT -A OUTPUT -o slip+ -j PUB_OUT -A OUTPUT -o venet+ -j PUB_OUT -A OUTPUT -o bond+ -j PUB_OUT -A OUTPUT -o en+ -j PUB_OUT -A INT_IN -p icmp -j ACCEPT -A INT_IN -j DROP -A INT_OUT -p icmp -j ACCEPT -A INT_OUT -j ACCEPT -A PAROLE -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT -A PUB_IN -p icmp -m icmp --icmp-type 8 -j ACCEPT -A PUB_IN -p tcp -m tcp --dport 20 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 21 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 22 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 25 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 53 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 80 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 110 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 143 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 443 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 465 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 587 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 990 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 993 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 995 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 3306 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 8080 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 8081 -j PAROLE -A PUB_IN -p tcp -m tcp --dport 10000 -j PAROLE -A PUB_IN -p udp -m udp --dport 53 -j ACCEPT -A PUB_IN -p udp -m udp --dport 3306 -j ACCEPT -A PUB_IN -p icmp -j DROP -A PUB_IN -j DROP -A PUB_OUT -j ACCEPT -A fail2ban-apache -j RETURN -A fail2ban-apache-nohome -j RETURN -A fail2ban-apache-overflows -j RETURN -A fail2ban-dovecot-pop3imap -j RETURN -A fail2ban-php-url-fopen -j RETURN -A fail2ban-postfix-sasl -j RETURN -A fail2ban-pureftpd -j RETURN -A fail2ban-ssh -j RETURN COMMIT # Completed on Wed Nov 22 12:02:32 2017 # Generated by iptables-save v1.4.21 on Wed Nov 22 12:02:32 2017 *nat REROUTING ACCEPT [42:2610] :INPUT ACCEPT [31:1845] :OUTPUT ACCEPT [9:647] OSTROUTING ACCEPT [9:647] COMMIT # Completed on Wed Nov 22 12:02:32 2017 # Generated by iptables-save v1.4.21 on Wed Nov 22 12:02:32 2017 *mangle REROUTING ACCEPT [6565:297114] :INPUT ACCEPT [6565:297114] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [7753:21228442] OSTROUTING ACCEPT [7753:21228442] COMMIT # Completed on Wed Nov 22 12:02:32 2017
Are you sure you were not banned by fail2ban? Check Code: iptables -L -n for your ip. It does not make sense using fail2ban and then open port 21 because this would render fail2ban useless. If you want to do it anyways, you could use the command you stated but replace -A by -I (INSERT intead of APPEND rule). This will disable all fail2ban blocking of port 21!
Thanks for your reply - was busy all day yesterday with Thanksgiving. Back in business today. No, it's not blocking me as I have "ignoreip = 127.0.0.1/8 my ip" in jail.local. Also ran iptables -L -n. I'm not in there. Sorry, was probably not clear. At 76 my mind is not as good as I'd like it to be. When disabling ISPconfig firewall and just using IPTables, I have no problem with FileZilla and PureFTPd on port 21 - TLS. When activating ISPconfig firewall and Bastille, I get the following error in FileZilla: "Hostname does not match certificate" and will not connect. Also, Because I use R1 Soft Backup, I need to access external IP,s for it to work: -A INPUT -s 12.345.678.9/32 -p tcp -m state --state -m tcp --dport 1167 -j ACCEPT Is there a way of solving these problems by adding or changing rules in bastille-firewall.cfg? Thanks
I have no experience with bastille, sorry. But it should not have anything to do with certificate matching.
