หาคนแก้ไข FTP port 21 ไม่ได้ Linux 2.6.18-308.8.2.el5.028stab101.1 x86_64

Buy and Sell IT Job Board
1

เนื่องจากไปซื้อ server ใหม่ แล้วมีปัญหาเรื่อง FTP ดังนี้ครับ

CentOS release 5.9 (Final)
[h=2]Linux 2.6.18-308.8.2.el5.028stab101.1 x86_64[/h]

[COLOR=#333333][FONT=Helvetica Neue]สถานะ:    กำลังแก้ปัญหาที่อยู่ของ mydomain.com[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]สถานะ:    กำลังเชื่อมต่อไปยัง xxx.xxx.xxx.xxx:21...[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]สถานะ:    การเชื่อมต่อถูกสร้าง,กำลังรอข้อความต้อนรับ...[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:    220 ProFTPD 1.3.3c Server ready.[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]คำสั่ง:    USER [/FONT][/COLOR][EMAIL="test@watmaheyong.org"]test@[/EMAIL][COLOR=#333333][FONT=Helvetica Neue]mydomain.com[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:    331 Password required for [/FONT][/COLOR][EMAIL="test@watmaheyong.org"]test@[/EMAIL][COLOR=#333333][FONT=Helvetica Neue]mydomain.com[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]คำสั่ง:    PASS ********[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:    230 User [/FONT][/COLOR][EMAIL="test@watmaheyong.org"]test@[/EMAIL][COLOR=#333333][FONT=Helvetica Neue]mydomain.com[/FONT][/COLOR][COLOR=#333333][FONT=Helvetica Neue] logged in[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]คำสั่ง:    SYST[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:    215 UNIX Type: L8[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]คำสั่ง:    FEAT[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:    211-Features:[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:     MDTM[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:     MFMT[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:     TVFS[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:     MFF modify;UNIX.group;UNIX.mode;[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:     MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*;[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:     REST STREAM[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:     SIZE[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:    211 End[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]สถานะ:    Server does not support non-ASCII characters.[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]สถานะ:    เชื่อมต่อแล้ว[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]สถานะ:    กำลังเรียกรายการไดเรกทอรี...[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]คำสั่ง:    PWD[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:    257 "/" is the current directory[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]คำสั่ง:    TYPE I[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:    200 Type set to I[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]คำสั่ง:    PASV[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]การตอบสนอง:    227 Entering Passive Mode ([/FONT][/COLOR][COLOR=#333333][FONT=Helvetica Neue]xxx,xxx,xxx,xxx[/FONT][/COLOR][COLOR=#333333][FONT=Helvetica Neue],140,59).[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]คำสั่ง:    MLSD[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]ผิดพลาด:    การเชื่อมต่อหมดเวลา[/FONT][/COLOR]
[COLOR=#333333][FONT=Helvetica Neue]ผิดพลาด:    ไม่สามารถเรียกรายชื่อไดเรกทอรี[/FONT][/COLOR]

แจ้งทางเจ้าหน้าที่แล้ว เจ้าหน้าที่ตอบกลับ

สวัสดีครับ

ทางเราก็สามารถใช้งานได้ตามปกตินะครับไม่มีหลุด
หรือ
ผิดพลาด: การเชื่อมต่อหมดเวลา
ผิดพลาด: ไม่สามารถเรียกรายชื่อไดเรกทอรี

ตามไฟล์ที่แนบมาครับ

server.JPG1225×767 180 KB

จากที่ลองสังเกตุดูพบว่า ถ้าใช้ user roor + sftp จะเข้าได้

แต่ถ้าใช้ user ทั่วไปสร้างด้วย Directadmin เช่น test@mydomain.com + FTP port 21 จะเข้าไม่ได้

แต่ถ้าปิด firewall ด้วยคำสั่ง

[root@server]# iptables -F
[root@server]# service iptables save
[root@server]# service iptables restart

…แต่พอรุ่งขึ้น ก็จะเข้าไม่ได้อีก เหมือนมันมีอะไรบางอย่างไป reset iptables ทุกวัน

จะเข้าได้ ตอนแรกก็ไม่อยากเสียเงินจ้างคนข้างนอก เพราะซื้อ server ก็ควรจะใช้ FTP แบบปรกติ แบบที่ชาวบ้านเค้าใช้งานได้
และเชื่อว่าคงไม่มีใคร แจก user root ให้ลูกค้าไป FTP แน่นอน แต่พอเจอคำตอบนี้จึงต้องรีบมาจ้างนี้แหละ :967339c1:

สวัสดีครับ
ในการ config ข้างในลูกค้าต้องเป็นคนดำเนินการเองครับ

Best Regards.,

จึงขอ ให้ท่านผู้มีความรู้ในการแก้ไขงานนี้ได้ PM หรือ เมล์มาแจ้งราคา
พร้อมระยะเวลาในการแก้ไขด้วย เพื่อที่จะดำเนินการจ้างต่อไปครับ
งบจ้างไม่เกิน 500-1,500 ครับ

ติดต่อกลับที่ Mail noppadon แอด outlook ดอทคอม หรือ PM ครับ

ขอบคุณครับ

2

เปิด passive port ที่ ftp ใช้ ใน firewall

3

ถ้าปิด Fire Wall แล้วใช้ได้ คงต้องไปดูทื Fire Wall แล้วครับ

4

แล้วสาเหตุที่รีเซตทุกวันจะแก้ที่ไหนครับ ขอบคุณสำหรับคำแนะนำครับ

แล้วสาเหตุที่รีเซตทุกวันจะแก้ที่ไหนครับ ขอบคุณสำหรับคำแนะนำครับ

5

iptables -L หน่อยครับ กำหนดค่าบางตัวมากน้อยหรือผิดไปหรือเปล่า

6

เครื่องคุณใครติดตั้งระบบให้ มีพวก apf csf firewall หรือเปล่า
ตอนไม่ได้ลองสั่ง iptables --list ออกมาดูว่ามี rules อะไรบ้าง
หรือลองพิมพ์ apf กับ csf ใน ssh ดูว่ามีคำสั่งอยู่หรือเปล่า

ตามคำสั่งที่คุณสั่ง
[root@server]# iptables -F
[root@server]# service iptables save
[root@server]# service iptables restart

ก็เป็นการ clear rules ทั้งหมดทิ้ง แล้วก็ save ไว้
จากนั้นก็ restart firewall ใหม่ มันก็จะทำงานโดยไม่มี rules ใดๆ
ถ้าทิ้งไว้แล้วมันมี rules กลับมา ก็น่าจะมีพวก csf หรือ apf ติดตั้งไว้
พวกนี้มันมี cron สั่ง refresh ตัวเองอยู่ ถ้าไม่ใช้ก็ไปลบ cron ทิ้ง
แต่จริงๆแนะนำว่า หัดใช้ให้เป็น และเปิด port ที่ต้องการใช้งานให้ครบ น่าจะดีกว่าปิดทิ้งไป

ลองดูใน /etc/cron.d/ มีไฟล์อะไรอยู่บ้าง

7 
Chain INPUT (policy ACCEPT)target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  100.64.0.0/10        anywhere            
DROP       all  --  127.0.0.0/8          anywhere            
DROP       all  --  169.254.0.0/16       anywhere            
DROP       all  --  192.0.0.0/24         anywhere            
DROP       all  --  192.0.2.0/24         anywhere            
DROP       all  --  198.18.0.0/15        anywhere            
DROP       all  --  198.51.100.0/24      anywhere            
DROP       all  --  203.0.113.0/24       anywhere            
DROP       all  --  base-address.mcast.net/4  anywhere            
DROP       all  --  240.0.0.0/4          anywhere            
TMP_DROP   all  --  anywhere             anywhere            
TALLOW     all  --  anywhere             anywhere            
TDENY      all  --  anywhere             anywhere            
TGALLOW    all  --  anywhere             anywhere            
TGDENY     all  --  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere            tcp dpts:epmap:netbios-ssn 
DROP       udp  --  anywhere             anywhere            udp dpts:epmap:netbios-ssn 
DROP       tcp  --  anywhere             anywhere            tcp dpt:sunrpc 
DROP       udp  --  anywhere             anywhere            udp dpt:sunrpc 
DROP       tcp  --  anywhere             anywhere            tcp dpt:login 
DROP       udp  --  anywhere             anywhere            udp dpt:who 
DROP       tcp  --  anywhere             anywhere            tcp dpt:efs 
DROP       udp  --  anywhere             anywhere            udp dpt:router 
DROP       tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
DROP       udp  --  anywhere             anywhere            udp dpt:microsoft-ds 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ms-sql-s 
DROP       udp  --  anywhere             anywhere            udp dpt:ms-sql-s 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ms-sql-m 
DROP       udp  --  anywhere             anywhere            udp dpt:ms-sql-m 
DROP       tcp  --  anywhere             anywhere            tcp dpt:search-agent 
DROP       udp  --  anywhere             anywhere            udp dpt:search-agent 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ingreslock 
DROP       udp  --  anywhere             anywhere            udp dpt:ingreslock 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ctx-bridge 
DROP       udp  --  anywhere             anywhere            udp dpt:ctx-bridge 
IN_SANITY  all  --  anywhere             anywhere            
FRAG_UDP   all  --  anywhere             anywhere            
PZERO      all  --  anywhere             anywhere            
P2P        all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:domain 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:http 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:sunrpc 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:imap 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:https 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:rockwell-csp2 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:filenet-rpc 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:domain 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:sunrpc 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:ipp 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:724 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:mdns 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:filenet-tms 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:32809 
ACCEPT     icmp --  anywhere             pr.in.th            icmp destination-unreachable limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp redirect limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp time-exceeded limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp echo-reply limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp type 30 limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp echo-request limit: avg 30/sec burst 5 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:domain 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:http 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:sunrpc 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:imap 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:https 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:rockwell-csp2 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:filenet-rpc 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:domain 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:sunrpc 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:ipp 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:724 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:mdns 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:filenet-tms 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:32809 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp destination-unreachable limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp redirect limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp time-exceeded limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp echo-reply limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp type 30 limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp echo-request limit: avg 30/sec burst 5 
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  103.22.180.14        anywhere            udp spt:domain dpts:1023:65535 
ACCEPT     tcp  --  103.22.180.14        anywhere            tcp spt:domain dpts:1023:65535 
DROP       tcp  --  anywhere             anywhere            tcp spt:domain dpts:1023:65535 
DROP       udp  --  anywhere             anywhere            udp spt:domain dpts:1023:65535 
ACCEPT     udp  --  103.22.183.40        anywhere            udp spt:domain dpts:1023:65535 
ACCEPT     tcp  --  103.22.183.40        anywhere            tcp spt:domain dpts:1023:65535 
DROP       tcp  --  anywhere             anywhere            tcp spt:domain dpts:1023:65535 
DROP       udp  --  anywhere             anywhere            udp spt:domain dpts:1023:65535 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1023:65535 dpt:ftp state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            multiport dports ftp,ftp-data state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh dpts:login:65535 state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:ssh flags:FIN,SYN,RST,ACK/SYN state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh state ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpts:traceroute:33534 
DROP       tcp  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            


Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
DROP       all  --  anywhere             100.64.0.0/10       
DROP       all  --  anywhere             127.0.0.0/8         
DROP       all  --  anywhere             169.254.0.0/16      
DROP       all  --  anywhere             192.0.0.0/24        
DROP       all  --  anywhere             192.0.2.0/24        
DROP       all  --  anywhere             198.18.0.0/15       
DROP       all  --  anywhere             198.51.100.0/24     
DROP       all  --  anywhere             203.0.113.0/24      
DROP       all  --  anywhere             base-address.mcast.net/4 
DROP       all  --  anywhere             240.0.0.0/4         
TMP_DROP   all  --  anywhere             anywhere            
TALLOW     all  --  anywhere             anywhere            
TDENY      all  --  anywhere             anywhere            
TGALLOW    all  --  anywhere             anywhere            
TGDENY     all  --  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere            tcp dpts:epmap:netbios-ssn 
DROP       udp  --  anywhere             anywhere            udp dpts:epmap:netbios-ssn 
DROP       tcp  --  anywhere             anywhere            tcp dpt:sunrpc 
DROP       udp  --  anywhere             anywhere            udp dpt:sunrpc 
DROP       tcp  --  anywhere             anywhere            tcp dpt:login 
DROP       udp  --  anywhere             anywhere            udp dpt:who 
DROP       tcp  --  anywhere             anywhere            tcp dpt:efs 
DROP       udp  --  anywhere             anywhere            udp dpt:router 
DROP       tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
DROP       udp  --  anywhere             anywhere            udp dpt:microsoft-ds 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ms-sql-s 
DROP       udp  --  anywhere             anywhere            udp dpt:ms-sql-s 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ms-sql-m 
DROP       udp  --  anywhere             anywhere            udp dpt:ms-sql-m 
DROP       tcp  --  anywhere             anywhere            tcp dpt:search-agent 
DROP       udp  --  anywhere             anywhere            udp dpt:search-agent 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ingreslock 
DROP       udp  --  anywhere             anywhere            udp dpt:ingreslock 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ctx-bridge 
DROP       udp  --  anywhere             anywhere            udp dpt:ctx-bridge 
OUT_SANITY  all  --  anywhere             anywhere            
FRAG_UDP   all  --  anywhere             anywhere            
PZERO      all  --  anywhere             anywhere            
P2P        all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:1024:65535 state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:1024:65535 state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             103.22.180.14       udp spts:1023:65535 dpt:domain 
ACCEPT     tcp  --  anywhere             103.22.180.14       tcp spts:1023:65535 dpt:domain 
ACCEPT     udp  --  anywhere             103.22.180.14       udp spts:1023:65535 dpt:domain 
ACCEPT     tcp  --  anywhere             103.22.180.14       tcp spts:1023:65535 dpt:domain 
ACCEPT     udp  --  anywhere             103.22.183.40       udp spts:1023:65535 dpt:domain 
ACCEPT     tcp  --  anywhere             103.22.183.40       tcp spts:1023:65535 dpt:domain 
ACCEPT     udp  --  anywhere             103.22.183.40       udp spts:1023:65535 dpt:domain 
ACCEPT     tcp  --  anywhere             103.22.183.40       tcp spts:1023:65535 dpt:domain 
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp dpts:1023:65535 state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            multiport dports ftp,ftp-data state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpts:traceroute:33534 
ACCEPT     all  --  anywhere             anywhere            


Chain FRAG_UDP (2 references)
target     prot opt source               destination         
DROP       udp  -f  anywhere             anywhere            


Chain IN_SANITY (1 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,RST/FIN,RST 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,ACK/FIN 
DROP       tcp  --  anywhere             anywhere            tcp flags:ACK,URG/URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:PSH,ACK/PSH 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN 


Chain OUT_SANITY (1 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN/FIN,SYN 
DROP       tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN,RST 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,RST/FIN,RST 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,ACK/FIN 
DROP       tcp  --  anywhere             anywhere            tcp flags:PSH,ACK/PSH 
DROP       tcp  --  anywhere             anywhere            tcp flags:ACK,URG/URG 


Chain P2P (2 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            tcp dpt:kazaa reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spt:kazaa dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpt:kazaa reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spt:kazaa dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:3d-nfsd reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spt:3d-nfsd dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpt:3d-nfsd reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spt:3d-nfsd dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spts:1024:65534 dpts:smaclmgr:traversal reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spts:smaclmgr:traversal dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpts:smaclmgr:traversal reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:smaclmgr:traversal dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:6257 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpt:6257 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spt:6257 dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:6699 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpt:6699 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spt:6699 dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:gnutella-svc reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spt:gnutella-svc dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpt:gnutella-svc reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spt:gnutella-svc dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:gnutella-rtr reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spt:gnutella-rtr dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpt:gnutella-rtr reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spt:gnutella-rtr dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpts:6881:6889 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:6881:6889 dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:gnutella-svc reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spt:gnutella-svc dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpt:gnutella-svc reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spt:gnutella-svc dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp dpt:interwise reject-with icmp-port-unreachable 
REJECT     tcp  --  anywhere             anywhere            tcp spt:interwise dpts:1024:65534 reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spts:1024:65534 dpt:interwise reject-with icmp-port-unreachable 
REJECT     udp  --  anywhere             anywhere            udp spt:interwise dpts:1024:65534 reject-with icmp-port-unreachable 


Chain PROHIBIT (0 references)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 


Chain PZERO (2 references)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere            tcp dpt:0 
DROP       udp  --  anywhere             anywhere            udp dpt:0 
DROP       tcp  --  anywhere             anywhere            tcp spt:0 
DROP       udp  --  anywhere             anywhere            udp spt:0 


Chain RESET (0 references)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset 


Chain TALLOW (2 references)
target     prot opt source               destination         


Chain TDENY (2 references)
target     prot opt source               destination         
DROP       all  --  static-84-242-82-157.net.upcbroadband.cz  anywhere            
DROP       all  --  anywhere             static-84-242-82-157.net.upcbroadband.cz 
DROP       all  --  220.172.191.31       anywhere            
DROP       all  --  anywhere             220.172.191.31      
DROP       all  --  67-23-32-241.static.cloud-ips.com  anywhere            
DROP       all  --  anywhere             67-23-32-241.static.cloud-ips.com 
DROP       all  --  82.138.60.174        anywhere            
DROP       all  --  anywhere             82.138.60.174       
DROP       all  --  bomba.intrex.hu      anywhere            
DROP       all  --  anywhere             bomba.intrex.hu     
DROP       all  --  60.12.251.5          anywhere            
DROP       all  --  anywhere             60.12.251.5         
DROP       all  --  221.133.231.118      anywhere            
DROP       all  --  anywhere             221.133.231.118     
DROP       all  --  218.78.187.14        anywhere            
DROP       all  --  anywhere             218.78.187.14       
DROP       all  --  78.186.156.7.static.ttnet.com.tr  anywhere            
DROP       all  --  anywhere             78.186.156.7.static.ttnet.com.tr 
DROP       all  --  61.164.147.2         anywhere            
DROP       all  --  anywhere             61.164.147.2        
DROP       all  --  222.80.184.46        anywhere            
DROP       all  --  anywhere             222.80.184.46       
DROP       all  --  65.119.103.46        anywhere            
DROP       all  --  anywhere             65.119.103.46       
DROP       all  --  101.44.1.135         anywhere            
DROP       all  --  anywhere             101.44.1.135        
DROP       all  --  121.14.204.41        anywhere            
DROP       all  --  anywhere             121.14.204.41       


Chain TGALLOW (2 references)
target     prot opt source               destination         


Chain TGDENY (2 references)
target     prot opt source               destination         


Chain TMP_DROP (2 references)
target     prot opt source               destination

rule เยอะจนงง

8

ตามนี้เลยครับ
http://pastebin.com/LgGr0G9h

9

ในระบบมี apf และ bfd ครับ
ใน /etc/cron.d/ มีดังนี้

[root@pr cron.d]# ls -l
total 8
-rw-r--r-- 1 root root  64 Apr 27 12:58 bfd
-rw------- 1 root root 487 Apr 27 12:58 directadmin_cron
[root@pr cron.d]# cat bfd
MAILTO=
SHELL=/bin/bash
*/3 * * * * root /usr/local/sbin/bfd -q
10 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  100.64.0.0/10        anywhere            
DROP       all  --  127.0.0.0/8          anywhere            
DROP       all  --  169.254.0.0/16       anywhere            
DROP       all  --  192.0.0.0/24         anywhere            
DROP       all  --  192.0.2.0/24         anywhere            
DROP       all  --  198.18.0.0/15        anywhere            
DROP       all  --  198.51.100.0/24      anywhere            
DROP       all  --  203.0.113.0/24       anywhere            
DROP       all  --  base-address.mcast.net/4  anywhere            
DROP       all  --  240.0.0.0/4          anywhere            
TMP_DROP   all  --  anywhere             anywhere            
TALLOW     all  --  anywhere             anywhere            
TDENY      all  --  anywhere             anywhere            
TGALLOW    all  --  anywhere             anywhere            
TGDENY     all  --  anywhere             anywhere            
DROP       tcp  --  anywhere             anywhere            tcp dpts:epmap:netbios-ssn 
DROP       udp  --  anywhere             anywhere            udp dpts:epmap:netbios-ssn 
DROP       tcp  --  anywhere             anywhere            tcp dpt:sunrpc 
DROP       udp  --  anywhere             anywhere            udp dpt:sunrpc 
DROP       tcp  --  anywhere             anywhere            tcp dpt:login 
DROP       udp  --  anywhere             anywhere            udp dpt:who 
DROP       tcp  --  anywhere             anywhere            tcp dpt:efs 
DROP       udp  --  anywhere             anywhere            udp dpt:router 
DROP       tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds 
DROP       udp  --  anywhere             anywhere            udp dpt:microsoft-ds 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ms-sql-s 
DROP       udp  --  anywhere             anywhere            udp dpt:ms-sql-s 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ms-sql-m 
DROP       udp  --  anywhere             anywhere            udp dpt:ms-sql-m 
DROP       tcp  --  anywhere             anywhere            tcp dpt:search-agent 
DROP       udp  --  anywhere             anywhere            udp dpt:search-agent 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ingreslock 
DROP       udp  --  anywhere             anywhere            udp dpt:ingreslock 
DROP       tcp  --  anywhere             anywhere            tcp dpt:ctx-bridge 
DROP       udp  --  anywhere             anywhere            udp dpt:ctx-bridge 
IN_SANITY  all  --  anywhere             anywhere            
FRAG_UDP   all  --  anywhere             anywhere            
PZERO      all  --  anywhere             anywhere            
P2P        all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:domain 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:http 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:sunrpc 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:imap 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:https 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:rockwell-csp2 
ACCEPT     tcp  --  anywhere             pr.in.th            tcp dpt:filenet-rpc 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:domain 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:sunrpc 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:ipp 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:724 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:mdns 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:filenet-tms 
ACCEPT     udp  --  anywhere             pr.in.th            udp dpt:32809 
ACCEPT     icmp --  anywhere             pr.in.th            icmp destination-unreachable limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp redirect limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp time-exceeded limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp echo-reply limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp type 30 limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             pr.in.th            icmp echo-request limit: avg 30/sec burst 5 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:domain 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:http 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:pop3 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:sunrpc 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:imap 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:https 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:rockwell-csp2 
ACCEPT     tcp  --  anywhere             localhost.localdomain tcp dpt:filenet-rpc 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:domain 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:sunrpc 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:ipp 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:724 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:mdns 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:filenet-tms 
ACCEPT     udp  --  anywhere             localhost.localdomain udp dpt:32809 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp destination-unreachable limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp redirect limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp time-exceeded limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp echo-reply limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp type 30 limit: avg 30/sec burst 5 
ACCEPT     icmp --  anywhere             localhost.localdomain icmp echo-request limit: avg 30/sec burst 5 
DROP       tcp  --  anywhere             anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW 
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  103.22.180.14        anywhere            udp spt:domain dpts:1023:65535 
ACCEPT     tcp  --  103.22.180.14        anywhere            tcp spt:domain dpts:1023:65535 
DROP       tcp  --  anywhere             anywhere            tcp spt:domain dpts:1023:65535 
DROP       udp  --  anywhere             anywhere            udp spt:domain dpts:1023:65535 
ACCEPT     udp  --  103.22.183.40        anywhere            udp spt:domain dpts:1023:65535 
ACCEPT     tcp  --  103.22.183.40        anywhere            tcp spt:domain dpts:1023:65535 
DROP       tcp  --  anywhere             anywhere            tcp spt:domain dpts:1023:65535 
DROP       udp  --  anywhere             anywhere            udp spt:domain dpts:1023:65535 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1023:65535 dpt:ftp state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            multiport dports ftp,ftp-data state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            multiport dports ftp,ftp-data state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh dpts:login:65535 state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            tcp spts:1024:65535 dpt:ssh flags:FIN,SYN,RST,ACK/SYN state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ssh state ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpts:traceroute:33534 
DROP       tcp  --  anywhere             anywhere            
DROP       udp  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere
11

modprobe ip_conntrack_ftp

สั่งแล้วแก้ไฟล์ /etc/sysconfig/iptables-config บรรทัด IPTABLES_MODULES เติม ip_conntrack_ftp ลงในรายการ จะได้ประมาณนี้

IPTABLES_MODULES=“ip_conntrack_netbios_ns ip_conntrack_ftp”

แค่นี้แหละครับ แล้วก็ไม่ต้องปิด firewall อะไรหรอกฮะ ส่วนที่เปิด port เพิ่มก็ไม่จำเป็นเหมือนกัน เพราะ module ip_conntrack_ftp จัดการให้เอง

12

ได้คนแก้แล้วครับ ขอบคุณมากครับ

13