[CentOS] Vsftpd vs. iptables firewall script
Stephen John Smoogen
smooge at gmail.com
Wed May 23 15:06:46 UTC 2018
On 23 May 2018 at 11:05, Stephen John Smoogen <smooge at gmail.com> wrote:
> On 23 May 2018 at 10:24, Nicolas Kovacs <info at microlinux.fr> wrote:
>> Hi,
>>
>> I'm currently setting up a local FTP server, to receive disk images sent
>> with G4L (Ghost4Linux).
>>
>> This server has been running Slackware Linux before, and the Vsftpd
>> setup was relatively simple.
>>
>> With CentOS things seem to be slightly different, so I'm currently
>> trying to work things out. For the moment, two things seem to be
>> creating problems, the simple iptables firewall and SELinux.
>>
>> When I disable the firewall and SELinux, Vsftp works as expected. So far
>> so good.
>>
>> Now let's tackle this one dragon at a time. First the firewall. I'm
>> starting with a very simple firewall script that looks somewhat like
>> this. I'm linking to the template, I won't copy/paste the whole thing here.
>>
>> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh
>>
>> Under Slackware, the iptables rule for a local FTP server looked like this:
>>
>> modprobe ip_conntrack
>> iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
>>
>> I tried this, but to no avail. Can't connect to my server. I googled a
>> bit, and I found out that there seem to be quite many different answers
>> about the subject of "how do I configure my firewall for Vsftpd".
>>
>
> OK looking at this, try changing the script as follows:
>
> # Connexions établies
> $IPT -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
>
> # SSH
> $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT
>
> # FTP
> $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
>
>
>
I forgot to say why. The RELATED is used to say that it is ok that the
ftp extra ports are kept track of. Without it they are dropped as you
are seeing.
--
Stephen J Smoogen.
More information about the CentOS
mailing list