[CentOS] FTP Server and IPTables?

Thu Feb 16 00:55:05 UTC 2006
Leonard Isham <leonard.isham at gmail.com>

On 2/15/06, Benjamin Smith <lists at benjamindsmith.com> wrote:
> I'm having a heck of a time getting vsftpd to work properly. When Iptables are
> OFF, it works fine, and when iptables is on, it dies. When I try ftp from a
> command line, here's what the session looks looks like:
>
>
> [root at mylaptop ~]# ftp ftp.server.com
> Connected to ftp.server.com.
> 220 Welcome to My Company FTP
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (ftp.server.com:root): northwind
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 227 Entering Passive Mode (66,81,89,182,135,169)
> ftp: connect: No route to host
> ftp>

FTP uses two TCP connections 21 and 20.  If the kernel has connection
tracking on this is fairly easy.  I don't know the details off hand,
or if the kernel support connection tracking as I use ssh/scp/sftp
exclusivly.

I know you need to load the ip_conntrack_ftp module.

If you google you should find the rest of the information you need.

> But, what am I doing wrong, here!?!?! Sample from
> /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES.
> ############################################
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -j LOG
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> ############################################
>
> Lastly, here's a typical log rejection notice from /var/log/messages
> Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT=
> MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP
> LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729
> WINDOW=5840 RES=0x00 SYN URGP=0
>
> What am I missing?
>
> -Ben
> --
> "The best way to predict the future is to invent it."
> - XEROX PARC slogan, circa 1978
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


--
Leonard Isham, CISSP
Ostendo non ostento.