Hi,
I'm currently setting up a local FTP server, to receive disk images sent with G4L (Ghost4Linux).
This server has been running Slackware Linux before, and the Vsftpd setup was relatively simple.
With CentOS things seem to be slightly different, so I'm currently trying to work things out. For the moment, two things seem to be creating problems, the simple iptables firewall and SELinux.
When I disable the firewall and SELinux, Vsftp works as expected. So far so good.
Now let's tackle this one dragon at a time. First the firewall. I'm starting with a very simple firewall script that looks somewhat like this. I'm linking to the template, I won't copy/paste the whole thing here.
https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall...
Under Slackware, the iptables rule for a local FTP server looked like this:
modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
I tried this, but to no avail. Can't connect to my server. I googled a bit, and I found out that there seem to be quite many different answers about the subject of "how do I configure my firewall for Vsftpd".
Any suggestions ?
Niki
Hi,
Try "iptables -I INPUT" for your FTP rule.
-- Sent from the Delta quadrant using Borg technology!
Nux! www.nux.ro
----- Original Message -----
From: "Nicolas Kovacs" info@microlinux.fr To: "CentOS mailing list" centos@centos.org Sent: Wednesday, 23 May, 2018 15:24:45 Subject: [CentOS] Vsftpd vs. iptables firewall script
Hi,
I'm currently setting up a local FTP server, to receive disk images sent with G4L (Ghost4Linux).
This server has been running Slackware Linux before, and the Vsftpd setup was relatively simple.
With CentOS things seem to be slightly different, so I'm currently trying to work things out. For the moment, two things seem to be creating problems, the simple iptables firewall and SELinux.
When I disable the firewall and SELinux, Vsftp works as expected. So far so good.
Now let's tackle this one dragon at a time. First the firewall. I'm starting with a very simple firewall script that looks somewhat like this. I'm linking to the template, I won't copy/paste the whole thing here.
https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall...
Under Slackware, the iptables rule for a local FTP server looked like this:
modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
I tried this, but to no avail. Can't connect to my server. I googled a bit, and I found out that there seem to be quite many different answers about the subject of "how do I configure my firewall for Vsftpd".
Any suggestions ?
Niki
-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Le 23/05/2018 à 16:36, Nux! a écrit :
Try "iptables -I INPUT" for your FTP rule.
Doesn't work. I redirected all my errors to /var/log/messages, so here's what I get when I try to connect Filezilla to that server.
May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0
I'm clueless here.
Nicolas Kovacs wrote:
Le 23/05/2018 à 16:36, Nux! a écrit :
Try "iptables -I INPUT" for your FTP rule.
Doesn't work. I redirected all my errors to /var/log/messages, so here's what I get when I try to connect Filezilla to that server.
May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0
I'm clueless here.
Oh, hell, it just hit me: are you using C7? If so, start out by running firewall-cmd --list-all
mark
Doesn't work. I redirected all my errors to /var/log/messages, so here's what I get when I try to connect Filezilla to that server.
May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0
FTP uses two ports - in active mode the server uses 21 for command and 20 for data after the initial connection. In passive mode it uses 21 for command and a high random port number for data. What is happening is that you are blocking the high port number. (Yes, I know that's a gross simplification.)
You could use active transfer and open port 20, or you could use passive, which is more "secure", and allow connections to high port numbers.
Search for active vs passive ftp for more info.
P.
Le 23/05/2018 à 17:01, Pete Biggs a écrit :
You could use active transfer and open port 20, or you could use passive, which is more "secure", and allow connections to high port numbers.
Search for active vs passive ftp for more info.
That helped, thanks.
I added the following to /etc/vsftpd/vsftpd.conf:
pasv_enable=YES pasv_min_port=50001 pasv_max_port=50010
My firewall script now has the following stanza for FTP:
# FTP $MOD ip_conntrack_ftp $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 50001:50010 -j ACCEPT
So the firewall problem seems solved.
Cheers,
Niki
Le 23/05/2018 à 17:01, Pete Biggs a écrit :
FTP uses two ports - in active mode the server uses 21 for command and 20 for data after the initial connection. In passive mode it uses 21 for command and a high random port number for data. What is happening is that you are blocking the high port number. (Yes, I know that's a gross simplification.)
I've updated the documentation on my blog:
https://blog.microlinux.fr/vsftpd-centos/
Cheers,
Niki
Nicolas Kovacs wrote:
Hi,
I'm currently setting up a local FTP server, to receive disk images sent with G4L (Ghost4Linux).
This server has been running Slackware Linux before, and the Vsftpd setup was relatively simple.
With CentOS things seem to be slightly different, so I'm currently trying to work things out. For the moment, two things seem to be creating problems, the simple iptables firewall and SELinux.
When I disable the firewall and SELinux, Vsftp works as expected. So far so good.
Now let's tackle this one dragon at a time. First the firewall. I'm
<snip> A suggestion: once you've got the firewall issue dealt with, set selinux into permissive mode; *then* you can figure out what it's complaining about, while at the same time, your system will be available. Once you've fixed those issues, then you can make it enforcing.
mark
Le 23/05/2018 à 16:58, m.roth@5-cent.us a écrit :
A suggestion: once you've got the firewall issue dealt with, set selinux into permissive mode; *then* you can figure out what it's complaining about, while at the same time, your system will be available. Once you've fixed those issues, then you can make it enforcing.
This is always my approach. Turns out the solution was rather simple here. After switching SELinux to permissive mode and connecting to the server, I did this:
# sealert -a /var/log/audit/audit.log
The problem here was that I got a small tsunami of suggestions. But in the middle of this flood, I got a boolean to set, so on a hunch, I tried that:
# setsebool -P ftpd_full_access 1
Turns out this solved all SELinux-related problems. So Vsftp works perfectly now with my custom Iptables firewall *and* SELinux in enforcing mode.
Cheers & thanks for all your suggestions.
Niki
Nicolas Kovacs wrote:
Le 23/05/2018 à 16:58, m.roth@5-cent.us a écrit :
A suggestion: once you've got the firewall issue dealt with, set selinux into permissive mode; *then* you can figure out what it's complaining about, while at the same time, your system will be available. Once you've fixed those issues, then you can make it enforcing.
This is always my approach. Turns out the solution was rather simple here. After switching SELinux to permissive mode and connecting to the server, I did this:
# sealert -a /var/log/audit/audit.log
The problem here was that I got a small tsunami of suggestions. But in
ARGH! No. We get entries in /var/log/messages that tell you run run sealert *with* a given number. I just highlight, copy and run that, not try to read the whole audit log.
mark
the middle of this flood, I got a boolean to set, so on a hunch, I tried that:
# setsebool -P ftpd_full_access 1
Turns out this solved all SELinux-related problems. So Vsftp works perfectly now with my custom Iptables firewall *and* SELinux in enforcing mode.
Cheers & thanks for all your suggestions.
Niki
-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 23 May 2018 at 10:24, Nicolas Kovacs info@microlinux.fr wrote:
Hi,
I'm currently setting up a local FTP server, to receive disk images sent with G4L (Ghost4Linux).
This server has been running Slackware Linux before, and the Vsftpd setup was relatively simple.
With CentOS things seem to be slightly different, so I'm currently trying to work things out. For the moment, two things seem to be creating problems, the simple iptables firewall and SELinux.
When I disable the firewall and SELinux, Vsftp works as expected. So far so good.
Now let's tackle this one dragon at a time. First the firewall. I'm starting with a very simple firewall script that looks somewhat like this. I'm linking to the template, I won't copy/paste the whole thing here.
https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall...
Under Slackware, the iptables rule for a local FTP server looked like this:
modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
I tried this, but to no avail. Can't connect to my server. I googled a bit, and I found out that there seem to be quite many different answers about the subject of "how do I configure my firewall for Vsftpd".
OK looking at this, try changing the script as follows:
# Connexions établies $IPT -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
# SSH $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT
# FTP $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
Any suggestions ?
Niki
-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 23 May 2018 at 11:05, Stephen John Smoogen smooge@gmail.com wrote:
On 23 May 2018 at 10:24, Nicolas Kovacs info@microlinux.fr wrote:
Hi,
I'm currently setting up a local FTP server, to receive disk images sent with G4L (Ghost4Linux).
This server has been running Slackware Linux before, and the Vsftpd setup was relatively simple.
With CentOS things seem to be slightly different, so I'm currently trying to work things out. For the moment, two things seem to be creating problems, the simple iptables firewall and SELinux.
When I disable the firewall and SELinux, Vsftp works as expected. So far so good.
Now let's tackle this one dragon at a time. First the firewall. I'm starting with a very simple firewall script that looks somewhat like this. I'm linking to the template, I won't copy/paste the whole thing here.
https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall...
Under Slackware, the iptables rule for a local FTP server looked like this:
modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
I tried this, but to no avail. Can't connect to my server. I googled a bit, and I found out that there seem to be quite many different answers about the subject of "how do I configure my firewall for Vsftpd".
OK looking at this, try changing the script as follows:
# Connexions établies $IPT -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
# SSH $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT
# FTP $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
I forgot to say why. The RELATED is used to say that it is ok that the ftp extra ports are kept track of. Without it they are dropped as you are seeing.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2018/05/23 8:24 AM, Nicolas Kovacs wrote:
I'm currently setting up a local FTP server, to receive disk images sent with G4L (Ghost4Linux).
This server has been running Slackware Linux before, and the Vsftpd setup was relatively simple.
With CentOS things seem to be slightly different, so I'm currently trying to work things out. For the moment, two things seem to be creating problems, the simple iptables firewall and SELinux.
When I disable the firewall and SELinux, Vsftp works as expected. So far so good.
Now let's tackle this one dragon at a time. First the firewall. I'm starting with a very simple firewall script that looks somewhat like this. I'm linking to the template, I won't copy/paste the whole thing here.
https://github.com/kikinovak/centos-7-server-lan/blob/master/config/fi
rewall/firewall-standalone.sh
Under Slackware, the iptables rule for a local FTP server looked like this:
modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
I tried this, but to no avail. Can't connect to my server. I googled a bit, and I found out that there seem to be quite many different answers about the subject of "how do I configure my firewall for Vsftpd".
The ip_conntrack module is necessary, but not sufficient for dynamic FTP connection tracking.
If you instead load ip_conntrack_ftp, it will auto-load ip_conntrack. (On a C7 server the modules are actually nf_conntrack_ftp and nf_conntrack, but the ip_* names are aliases for them so either will work.)
Oh, and to make the module configuration permanent, you can use either the CentOS config file at /etc/sysconfig/iptables-config file (look for the IPTABLES_MODULES line with associated comments) or on a systemd box you have the option of /etc/modules-load.d/ (man modules-load.d for details).
- ---- Nels Lindquist nlindq@maei.ca