[CentOS] Vsftpd vs. iptables firewall script
Nels Lindquist
nlindq at maei.ca
Fri May 25 20:04:08 UTC 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2018/05/23 8:24 AM, Nicolas Kovacs wrote:
> I'm currently setting up a local FTP server, to receive disk images
> sent with G4L (Ghost4Linux).
>
> This server has been running Slackware Linux before, and the
> Vsftpd setup was relatively simple.
>
> With CentOS things seem to be slightly different, so I'm currently
> trying to work things out. For the moment, two things seem to be
> creating problems, the simple iptables firewall and SELinux.
>
> When I disable the firewall and SELinux, Vsftp works as expected.
> So far so good.
>
> Now let's tackle this one dragon at a time. First the firewall.
> I'm starting with a very simple firewall script that looks somewhat
> like this. I'm linking to the template, I won't copy/paste the
> whole thing here.
>
> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/fi
rewall/firewall-standalone.sh
>
> Under Slackware, the iptables rule for a local FTP server looked
> like this:
>
> modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN
> --dport 21 -j ACCEPT
>
> I tried this, but to no avail. Can't connect to my server. I
> googled a bit, and I found out that there seem to be quite many
> different answers about the subject of "how do I configure my
> firewall for Vsftpd".
The ip_conntrack module is necessary, but not sufficient for dynamic
FTP connection tracking.
If you instead load ip_conntrack_ftp, it will auto-load ip_conntrack.
(On a C7 server the modules are actually nf_conntrack_ftp and
nf_conntrack, but the ip_* names are aliases for them so either will
work.)
Oh, and to make the module configuration permanent, you can use either
the CentOS config file at /etc/sysconfig/iptables-config file (look
for the IPTABLES_MODULES line with associated comments) or on a
systemd box you have the option of /etc/modules-load.d/ (man
modules-load.d for details).
- ----
Nels Lindquist <nlindq at maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlsIbDgACgkQh6z5POoOLgQh7wCcDcWGpYBqQfmY5OwkJs5LyJI0
zFYAoKY8CnphwueYraMKtU/n1L5xHpp7
=5sU3
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list