subject:"Re\: \[CentOS\] Vsftpd vs. iptables firewall script"

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-25 Thread Nels Lindquist

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2018/05/23 8:24 AM, Nicolas Kovacs wrote:

> I'm currently setting up a local FTP server, to receive disk images
> sent with G4L (Ghost4Linux).
> 
> This server has been running Slackware Linux before, and the
> Vsftpd setup was relatively simple.
> 
> With CentOS things seem to be slightly different, so I'm currently 
> trying to work things out. For the moment, two things seem to be 
> creating problems, the simple iptables firewall and SELinux.
> 
> When I disable the firewall and SELinux, Vsftp works as expected.
> So far so good.
> 
> Now let's tackle this one dragon at a time. First the firewall.
> I'm starting with a very simple firewall script that looks somewhat
> like this. I'm linking to the template, I won't copy/paste the
> whole thing here.
> 
> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/fi
rewall/firewall-standalone.sh
>
>  Under Slackware, the iptables rule for a local FTP server looked
> like this:
> 
> modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN
> --dport 21 -j ACCEPT
> 
> I tried this, but to no avail. Can't connect to my server. I
> googled a bit, and I found out that there seem to be quite many
> different answers about the subject of "how do I configure my
> firewall for Vsftpd".

The ip_conntrack module is necessary, but not sufficient for dynamic
FTP connection tracking.

If you instead load ip_conntrack_ftp, it will auto-load ip_conntrack.
 (On a C7 server the modules are actually nf_conntrack_ftp and
nf_conntrack, but the ip_* names are aliases for them so either will
work.)

Oh, and to make the module configuration permanent, you can use either
the CentOS config file at /etc/sysconfig/iptables-config file (look
for the IPTABLES_MODULES line with associated comments) or on a
systemd box you have the option of /etc/modules-load.d/ (man
modules-load.d for details).

- 
Nels Lindquist 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iEYEARECAAYFAlsIbDgACgkQh6z5POoOLgQh7wCcDcWGpYBqQfmY5OwkJs5LyJI0
zFYAoKY8CnphwueYraMKtU/n1L5xHpp7
=5sU3
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-25 Thread Nicolas Kovacs

Le 23/05/2018 à 17:01, Pete Biggs a écrit :
> FTP uses two ports - in active mode the server uses 21 for command and
> 20 for data after the initial connection. In passive mode it uses 21
> for command and a high random port number for data. What is happening
> is that you are blocking the high port number. (Yes, I know that's a
> gross simplification.)

I've updated the documentation on my blog:

https://blog.microlinux.fr/vsftpd-centos/

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread m . roth

Nicolas Kovacs wrote:
> Le 23/05/2018 à 16:58, m.r...@5-cent.us a écrit :
>> A suggestion: once you've got the firewall issue dealt with, set selinux
>> into permissive mode; *then* you can figure out what it's complaining
>> about, while at the same time, your system will be available. Once
>> you've
>> fixed those issues, then you can make it enforcing.
>
> This is always my approach. Turns out the solution was rather simple
> here. After switching SELinux to permissive mode and connecting to the
> server, I did this:
>
>   # sealert -a /var/log/audit/audit.log
>
> The problem here was that I got a small tsunami of suggestions. But in

ARGH! No. We get entries in /var/log/messages that tell you run run
sealert *with* a given number. I just highlight, copy and run that, not
try to read the whole audit log.

   mark
> the middle of this flood, I got a boolean to set, so on a hunch, I tried
> that:
>
>   # setsebool -P ftpd_full_access 1
>
> Turns out this solved all SELinux-related problems. So Vsftp works
> perfectly now with my custom Iptables firewall *and* SELinux in
> enforcing mode.
>
> Cheers & thanks for all your suggestions.
>
> Niki
>
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : i...@microlinux.fr
> Tél. : 04 66 63 10 32
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread Nicolas Kovacs

Le 23/05/2018 à 16:58, m.r...@5-cent.us a écrit :
> A suggestion: once you've got the firewall issue dealt with, set selinux
> into permissive mode; *then* you can figure out what it's complaining
> about, while at the same time, your system will be available. Once you've
> fixed those issues, then you can make it enforcing.

This is always my approach. Turns out the solution was rather simple
here. After switching SELinux to permissive mode and connecting to the
server, I did this:

  # sealert -a /var/log/audit/audit.log

The problem here was that I got a small tsunami of suggestions. But in
the middle of this flood, I got a boolean to set, so on a hunch, I tried
that:

  # setsebool -P ftpd_full_access 1

Turns out this solved all SELinux-related problems. So Vsftp works
perfectly now with my custom Iptables firewall *and* SELinux in
enforcing mode.

Cheers & thanks for all your suggestions.

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread Nicolas Kovacs

Le 23/05/2018 à 17:01, Pete Biggs a écrit :
> You could use active transfer and open port 20, or you could use
> passive, which is more "secure", and allow connections to high port
> numbers.
> 
> Search for active vs passive ftp for more info.

That helped, thanks.

I added the following to /etc/vsftpd/vsftpd.conf:

  pasv_enable=YES
  pasv_min_port=50001
  pasv_max_port=50010

My firewall script now has the following stanza for FTP:

  # FTP
  $MOD ip_conntrack_ftp
  $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
  $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 50001:50010 -j ACCEPT

So the firewall problem seems solved.

Cheers,

Niki
-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread m . roth

Nicolas Kovacs wrote:
> Hi,
>
> I'm currently setting up a local FTP server, to receive disk images sent
> with G4L (Ghost4Linux).
>
> This server has been running Slackware Linux before, and the Vsftpd
> setup was relatively simple.
>
> With CentOS things seem to be slightly different, so I'm currently
> trying to work things out. For the moment, two things seem to be
> creating problems, the simple iptables firewall and SELinux.
>
> When I disable the firewall and SELinux, Vsftp works as expected. So far
> so good.
>
> Now let's tackle this one dragon at a time. First the firewall. I'm

A suggestion: once you've got the firewall issue dealt with, set selinux
into permissive mode; *then* you can figure out what it's complaining
about, while at the same time, your system will be available. Once you've
fixed those issues, then you can make it enforcing.

 mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread m . roth

Nicolas Kovacs wrote:
> Le 23/05/2018 à 16:36, Nux! a écrit :
>> Try "iptables -I INPUT" for your FTP rule.
>
> Doesn't work. I redirected all my errors to /var/log/messages, so here's
> what I get when I try to connect Filezilla to that server.
>
> May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3
> OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2
> DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP
> SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0
>
> I'm clueless here.

Oh, hell, it just hit me: are you using C7? If so, start out by running
firewall-cmd --list-all

  mark

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread Stephen John Smoogen

On 23 May 2018 at 11:05, Stephen John Smoogen  wrote:
> On 23 May 2018 at 10:24, Nicolas Kovacs  wrote:
>> Hi,
>>
>> I'm currently setting up a local FTP server, to receive disk images sent
>> with G4L (Ghost4Linux).
>>
>> This server has been running Slackware Linux before, and the Vsftpd
>> setup was relatively simple.
>>
>> With CentOS things seem to be slightly different, so I'm currently
>> trying to work things out. For the moment, two things seem to be
>> creating problems, the simple iptables firewall and SELinux.
>>
>> When I disable the firewall and SELinux, Vsftp works as expected. So far
>> so good.
>>
>> Now let's tackle this one dragon at a time. First the firewall. I'm
>> starting with a very simple firewall script that looks somewhat like
>> this. I'm linking to the template, I won't copy/paste the whole thing here.
>>
>> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh
>>
>> Under Slackware, the iptables rule for a local FTP server looked like this:
>>
>>   modprobe ip_conntrack
>>   iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
>>
>> I tried this, but to no avail. Can't connect to my server. I googled a
>> bit, and I found out that there seem to be quite many different answers
>> about the subject of "how do I configure my firewall for Vsftpd".
>>
>
> OK looking at this, try changing the script as follows:
>
> # Connexions établies
> $IPT -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT
>
> # SSH
> $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT
>
> # FTP
> $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
>
>
>

I forgot to say why. The RELATED is used to say that it is ok that the
ftp extra ports are kept track of. Without it they are dropped as you
are seeing.

-- 
Stephen J Smoogen.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread Stephen John Smoogen

On 23 May 2018 at 10:24, Nicolas Kovacs  wrote:
> Hi,
>
> I'm currently setting up a local FTP server, to receive disk images sent
> with G4L (Ghost4Linux).
>
> This server has been running Slackware Linux before, and the Vsftpd
> setup was relatively simple.
>
> With CentOS things seem to be slightly different, so I'm currently
> trying to work things out. For the moment, two things seem to be
> creating problems, the simple iptables firewall and SELinux.
>
> When I disable the firewall and SELinux, Vsftp works as expected. So far
> so good.
>
> Now let's tackle this one dragon at a time. First the firewall. I'm
> starting with a very simple firewall script that looks somewhat like
> this. I'm linking to the template, I won't copy/paste the whole thing here.
>
> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh
>
> Under Slackware, the iptables rule for a local FTP server looked like this:
>
>   modprobe ip_conntrack
>   iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
>
> I tried this, but to no avail. Can't connect to my server. I googled a
> bit, and I found out that there seem to be quite many different answers
> about the subject of "how do I configure my firewall for Vsftpd".
>

OK looking at this, try changing the script as follows:

# Connexions établies
$IPT -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT

# SSH
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT

# FTP
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT



> Any suggestions ?
>
> Niki
>
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : i...@microlinux.fr
> Tél. : 04 66 63 10 32
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos



-- 
Stephen J Smoogen.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread Pete Biggs


> Doesn't work. I redirected all my errors to /var/log/messages, so here's
> what I get when I try to connect Filezilla to that server.
> 
> May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3
> OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2
> DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP
> SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0
> 

FTP uses two ports - in active mode the server uses 21 for command and
20 for data after the initial connection. In passive mode it uses 21
for command and a high random port number for data. What is happening
is that you are blocking the high port number. (Yes, I know that's a
gross simplification.)

You could use active transfer and open port 20, or you could use
passive, which is more "secure", and allow connections to high port
numbers.

Search for active vs passive ftp for more info.

P.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread Nicolas Kovacs

Le 23/05/2018 à 16:36, Nux! a écrit :
> Try "iptables -I INPUT" for your FTP rule.

Doesn't work. I redirected all my errors to /var/log/messages, so here's
what I get when I try to connect Filezilla to that server.

May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3
OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2
DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP
SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0

I'm clueless here.

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

2018-05-23 Thread Nux!

Hi,

Try "iptables -I INPUT" for your FTP rule.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

- Original Message -
> From: "Nicolas Kovacs" 
> To: "CentOS mailing list" 
> Sent: Wednesday, 23 May, 2018 15:24:45
> Subject: [CentOS] Vsftpd vs. iptables firewall script

> Hi,
> 
> I'm currently setting up a local FTP server, to receive disk images sent
> with G4L (Ghost4Linux).
> 
> This server has been running Slackware Linux before, and the Vsftpd
> setup was relatively simple.
> 
> With CentOS things seem to be slightly different, so I'm currently
> trying to work things out. For the moment, two things seem to be
> creating problems, the simple iptables firewall and SELinux.
> 
> When I disable the firewall and SELinux, Vsftp works as expected. So far
> so good.
> 
> Now let's tackle this one dragon at a time. First the firewall. I'm
> starting with a very simple firewall script that looks somewhat like
> this. I'm linking to the template, I won't copy/paste the whole thing here.
> 
> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh
> 
> Under Slackware, the iptables rule for a local FTP server looked like this:
> 
>  modprobe ip_conntrack
>  iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT
> 
> I tried this, but to no avail. Can't connect to my server. I googled a
> bit, and I found out that there seem to be quite many different answers
> about the subject of "how do I configure my firewall for Vsftpd".
> 
> Any suggestions ?
> 
> Niki
> 
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Blog : https://blog.microlinux.fr
> Mail : i...@microlinux.fr
> Tél. : 04 66 63 10 32
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

Re: [CentOS] Vsftpd vs. iptables firewall script

12 matches

Site Navigation

Mail list logo

Footer information