I'm having a heck of a time getting vsftpd to work properly. When Iptables are OFF, it works fine, and when iptables is on, it dies. When I try ftp from a command line, here's what the session looks looks like:
[root@mylaptop ~]# ftp ftp.server.com Connected to ftp.server.com. 220 Welcome to My Company FTP 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.server.com:root): northwind 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (66,81,89,182,135,169) ftp: connect: No route to host ftp>
But, what am I doing wrong, here!?!?! Sample from /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. ############################################ *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -j LOG -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ############################################
Lastly, here's a typical log rejection notice from /var/log/messages Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 WINDOW=5840 RES=0x00 SYN URGP=0
What am I missing?
-Ben
On 2/15/06, Benjamin Smith lists@benjamindsmith.com wrote:
I'm having a heck of a time getting vsftpd to work properly. When Iptables are OFF, it works fine, and when iptables is on, it dies. When I try ftp from a command line, here's what the session looks looks like:
[root@mylaptop ~]# ftp ftp.server.com Connected to ftp.server.com. 220 Welcome to My Company FTP 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.server.com:root): northwind 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (66,81,89,182,135,169) ftp: connect: No route to host ftp>
FTP uses two TCP connections 21 and 20. If the kernel has connection tracking on this is fairly easy. I don't know the details off hand, or if the kernel support connection tracking as I use ssh/scp/sftp exclusivly.
I know you need to load the ip_conntrack_ftp module.
If you google you should find the rest of the information you need.
But, what am I doing wrong, here!?!?! Sample from /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. ############################################ *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -j LOG -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ############################################
Lastly, here's a typical log rejection notice from /var/log/messages Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 WINDOW=5840 RES=0x00 SYN URGP=0
What am I missing?
-Ben
"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Leonard Isham, CISSP Ostendo non ostento.
On Wed, 2006-02-15 at 16:43 -0800, Benjamin Smith wrote:
I'm having a heck of a time getting vsftpd to work properly. When Iptables are OFF, it works fine, and when iptables is on, it dies. When I try ftp from a command line, here's what the session looks looks like:
[root@mylaptop ~]# ftp ftp.server.com Connected to ftp.server.com. 220 Welcome to My Company FTP 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.server.com:root): northwind 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (66,81,89,182,135,169) ftp: connect: No route to host ftp>
But, what am I doing wrong, here!?!?! Sample from /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. ############################################ *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -j LOG -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ############################################
Lastly, here's a typical log rejection notice from /var/log/messages Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 WINDOW=5840 RES=0x00 SYN URGP=0
What am I missing?
---- ip_conntrack_ftp
you could modprobe it or you could do some learning about netfilter (iptables) - A super place to start is here...
http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/firewall-examples.h...
Craig
Am Do, den 16.02.2006 schrieb Benjamin Smith um 1:43:
I'm having a heck of a time getting vsftpd to work properly. When Iptables are OFF, it works fine, and when iptables is on, it dies. When I try ftp from a command line, here's what the session looks looks like:
[root@mylaptop ~]# ftp ftp.server.com Connected to ftp.server.com. 220 Welcome to My Company FTP 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.server.com:root): northwind 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (66,81,89,182,135,169) ftp: connect: No route to host ftp>
Once beside the control connection the additional data connection is to be established (for listing dir content) your client configured to use passive FTP sends the PASV command to the server, which then opens a connection from a random high port (here 32877) to a high port on your client host (here 34729 = 135*256+169).
But, what am I doing wrong, here!?!?! Sample from /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. ############################################ *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -j LOG -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ############################################
Your iptables ruleset blocks state NEW connections other than the explicitly accepted - thus above described connection from the server to your client host to port 34729 is blocked. iptables needs a helper to recognize this FTP data connection in passive mode to be related to the already established control connection: ip_conntrack_ftp.
Lastly, here's a typical log rejection notice from /var/log/messages Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 WINDOW=5840 RES=0x00 SYN URGP=0
What am I missing?
-Ben
Alexander
Benjamin Smith wrote:
I'm having a heck of a time getting vsftpd to work properly. When Iptables are OFF, it works fine, and when iptables is on, it dies. When I try ftp from a command line, here's what the session looks looks like:
[root@mylaptop ~]# ftp ftp.server.com Connected to ftp.server.com. 220 Welcome to My Company FTP 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.server.com:root): northwind 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (66,81,89,182,135,169) ftp: connect: No route to host ftp>
But, what am I doing wrong, here!?!?! Sample from /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. ############################################ *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -j LOG -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited ############################################
Lastly, here's a typical log rejection notice from /var/log/messages Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 WINDOW=5840 RES=0x00 SYN URGP=0
What am I missing?
-Ben
Ben,
simply modify one of the first lines of /etc/sysconfig/iptables-config to read IPTABLES_MODULES="ip_conntrack_ftp"
and restart iptables.
HTH,
Kay
On Thursday 16 February 2006 03:40, Kay Diederichs wrote:
Ben,
simply modify one of the first lines of /etc/sysconfig/iptables-config to
read
IPTABLES_MODULES="ip_conntrack_ftp"
and restart iptables.
Bingo! That's it - thanks!
-Ben
HTH,
Kay
-
Alexander Dalloz -
Benjamin Smith -
Craig White -
Kay Diederichs -
Leonard Isham