[CentOS] Vsftpd vs. iptables firewall script

Fri May 25 20:04:08 UTC 2018
Nels Lindquist <nlindq at maei.ca>

Hash: SHA1

On 2018/05/23 8:24 AM, Nicolas Kovacs wrote:

> I'm currently setting up a local FTP server, to receive disk images
> sent with G4L (Ghost4Linux).
> This server has been running Slackware Linux before, and the
> Vsftpd setup was relatively simple.
> With CentOS things seem to be slightly different, so I'm currently 
> trying to work things out. For the moment, two things seem to be 
> creating problems, the simple iptables firewall and SELinux.
> When I disable the firewall and SELinux, Vsftp works as expected.
> So far so good.
> Now let's tackle this one dragon at a time. First the firewall.
> I'm starting with a very simple firewall script that looks somewhat
> like this. I'm linking to the template, I won't copy/paste the
> whole thing here.
> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/fi
>  Under Slackware, the iptables rule for a local FTP server looked
> like this:
> modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN
> --dport 21 -j ACCEPT
> I tried this, but to no avail. Can't connect to my server. I
> googled a bit, and I found out that there seem to be quite many
> different answers about the subject of "how do I configure my
> firewall for Vsftpd".

The ip_conntrack module is necessary, but not sufficient for dynamic
FTP connection tracking.

If you instead load ip_conntrack_ftp, it will auto-load ip_conntrack.
 (On a C7 server the modules are actually nf_conntrack_ftp and
nf_conntrack, but the ip_* names are aliases for them so either will

Oh, and to make the module configuration permanent, you can use either
the CentOS config file at /etc/sysconfig/iptables-config file (look
for the IPTABLES_MODULES line with associated comments) or on a
systemd box you have the option of /etc/modules-load.d/ (man
modules-load.d for details).

- ----
Nels Lindquist <nlindq at maei.ca>
Version: GnuPG v2