Re: [CentOS] Vsftpd vs. iptables firewall script
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2018/05/23 8:24 AM, Nicolas Kovacs wrote: > I'm currently setting up a local FTP server, to receive disk images > sent with G4L (Ghost4Linux). > > This server has been running Slackware Linux before, and the > Vsftpd setup was relatively simple. > > With CentOS things seem to be slightly different, so I'm currently > trying to work things out. For the moment, two things seem to be > creating problems, the simple iptables firewall and SELinux. > > When I disable the firewall and SELinux, Vsftp works as expected. > So far so good. > > Now let's tackle this one dragon at a time. First the firewall. > I'm starting with a very simple firewall script that looks somewhat > like this. I'm linking to the template, I won't copy/paste the > whole thing here. > > https://github.com/kikinovak/centos-7-server-lan/blob/master/config/fi rewall/firewall-standalone.sh > > Under Slackware, the iptables rule for a local FTP server looked > like this: > > modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN > --dport 21 -j ACCEPT > > I tried this, but to no avail. Can't connect to my server. I > googled a bit, and I found out that there seem to be quite many > different answers about the subject of "how do I configure my > firewall for Vsftpd". The ip_conntrack module is necessary, but not sufficient for dynamic FTP connection tracking. If you instead load ip_conntrack_ftp, it will auto-load ip_conntrack. (On a C7 server the modules are actually nf_conntrack_ftp and nf_conntrack, but the ip_* names are aliases for them so either will work.) Oh, and to make the module configuration permanent, you can use either the CentOS config file at /etc/sysconfig/iptables-config file (look for the IPTABLES_MODULES line with associated comments) or on a systemd box you have the option of /etc/modules-load.d/ (man modules-load.d for details). - Nels Lindquist-BEGIN PGP SIGNATURE- Version: GnuPG v2 iEYEARECAAYFAlsIbDgACgkQh6z5POoOLgQh7wCcDcWGpYBqQfmY5OwkJs5LyJI0 zFYAoKY8CnphwueYraMKtU/n1L5xHpp7 =5sU3 -END PGP SIGNATURE- ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
Le 23/05/2018 à 17:01, Pete Biggs a écrit : > FTP uses two ports - in active mode the server uses 21 for command and > 20 for data after the initial connection. In passive mode it uses 21 > for command and a high random port number for data. What is happening > is that you are blocking the high port number. (Yes, I know that's a > gross simplification.) I've updated the documentation on my blog: https://blog.microlinux.fr/vsftpd-centos/ Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
Nicolas Kovacs wrote: > Le 23/05/2018 à 16:58, m.r...@5-cent.us a écrit : >> A suggestion: once you've got the firewall issue dealt with, set selinux >> into permissive mode; *then* you can figure out what it's complaining >> about, while at the same time, your system will be available. Once >> you've >> fixed those issues, then you can make it enforcing. > > This is always my approach. Turns out the solution was rather simple > here. After switching SELinux to permissive mode and connecting to the > server, I did this: > > # sealert -a /var/log/audit/audit.log > > The problem here was that I got a small tsunami of suggestions. But in ARGH! No. We get entries in /var/log/messages that tell you run run sealert *with* a given number. I just highlight, copy and run that, not try to read the whole audit log. mark > the middle of this flood, I got a boolean to set, so on a hunch, I tried > that: > > # setsebool -P ftpd_full_access 1 > > Turns out this solved all SELinux-related problems. So Vsftp works > perfectly now with my custom Iptables firewall *and* SELinux in > enforcing mode. > > Cheers & thanks for all your suggestions. > > Niki > > -- > Microlinux - Solutions informatiques durables > 7, place de l'église - 30730 Montpezat > Site : https://www.microlinux.fr > Blog : https://blog.microlinux.fr > Mail : i...@microlinux.fr > Tél. : 04 66 63 10 32 > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
Le 23/05/2018 à 16:58, m.r...@5-cent.us a écrit : > A suggestion: once you've got the firewall issue dealt with, set selinux > into permissive mode; *then* you can figure out what it's complaining > about, while at the same time, your system will be available. Once you've > fixed those issues, then you can make it enforcing. This is always my approach. Turns out the solution was rather simple here. After switching SELinux to permissive mode and connecting to the server, I did this: # sealert -a /var/log/audit/audit.log The problem here was that I got a small tsunami of suggestions. But in the middle of this flood, I got a boolean to set, so on a hunch, I tried that: # setsebool -P ftpd_full_access 1 Turns out this solved all SELinux-related problems. So Vsftp works perfectly now with my custom Iptables firewall *and* SELinux in enforcing mode. Cheers & thanks for all your suggestions. Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
Le 23/05/2018 à 17:01, Pete Biggs a écrit : > You could use active transfer and open port 20, or you could use > passive, which is more "secure", and allow connections to high port > numbers. > > Search for active vs passive ftp for more info. That helped, thanks. I added the following to /etc/vsftpd/vsftpd.conf: pasv_enable=YES pasv_min_port=50001 pasv_max_port=50010 My firewall script now has the following stanza for FTP: # FTP $MOD ip_conntrack_ftp $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 50001:50010 -j ACCEPT So the firewall problem seems solved. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
Nicolas Kovacs wrote: > Hi, > > I'm currently setting up a local FTP server, to receive disk images sent > with G4L (Ghost4Linux). > > This server has been running Slackware Linux before, and the Vsftpd > setup was relatively simple. > > With CentOS things seem to be slightly different, so I'm currently > trying to work things out. For the moment, two things seem to be > creating problems, the simple iptables firewall and SELinux. > > When I disable the firewall and SELinux, Vsftp works as expected. So far > so good. > > Now let's tackle this one dragon at a time. First the firewall. I'm A suggestion: once you've got the firewall issue dealt with, set selinux into permissive mode; *then* you can figure out what it's complaining about, while at the same time, your system will be available. Once you've fixed those issues, then you can make it enforcing. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
Nicolas Kovacs wrote: > Le 23/05/2018 à 16:36, Nux! a écrit : >> Try "iptables -I INPUT" for your FTP rule. > > Doesn't work. I redirected all my errors to /var/log/messages, so here's > what I get when I try to connect Filezilla to that server. > > May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 > OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 > DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP > SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0 > > I'm clueless here. Oh, hell, it just hit me: are you using C7? If so, start out by running firewall-cmd --list-all mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
On 23 May 2018 at 11:05, Stephen John Smoogenwrote: > On 23 May 2018 at 10:24, Nicolas Kovacs wrote: >> Hi, >> >> I'm currently setting up a local FTP server, to receive disk images sent >> with G4L (Ghost4Linux). >> >> This server has been running Slackware Linux before, and the Vsftpd >> setup was relatively simple. >> >> With CentOS things seem to be slightly different, so I'm currently >> trying to work things out. For the moment, two things seem to be >> creating problems, the simple iptables firewall and SELinux. >> >> When I disable the firewall and SELinux, Vsftp works as expected. So far >> so good. >> >> Now let's tackle this one dragon at a time. First the firewall. I'm >> starting with a very simple firewall script that looks somewhat like >> this. I'm linking to the template, I won't copy/paste the whole thing here. >> >> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh >> >> Under Slackware, the iptables rule for a local FTP server looked like this: >> >> modprobe ip_conntrack >> iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT >> >> I tried this, but to no avail. Can't connect to my server. I googled a >> bit, and I found out that there seem to be quite many different answers >> about the subject of "how do I configure my firewall for Vsftpd". >> > > OK looking at this, try changing the script as follows: > > # Connexions établies > $IPT -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT > > # SSH > $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT > > # FTP > $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT > > > I forgot to say why. The RELATED is used to say that it is ok that the ftp extra ports are kept track of. Without it they are dropped as you are seeing. -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
On 23 May 2018 at 10:24, Nicolas Kovacswrote: > Hi, > > I'm currently setting up a local FTP server, to receive disk images sent > with G4L (Ghost4Linux). > > This server has been running Slackware Linux before, and the Vsftpd > setup was relatively simple. > > With CentOS things seem to be slightly different, so I'm currently > trying to work things out. For the moment, two things seem to be > creating problems, the simple iptables firewall and SELinux. > > When I disable the firewall and SELinux, Vsftp works as expected. So far > so good. > > Now let's tackle this one dragon at a time. First the firewall. I'm > starting with a very simple firewall script that looks somewhat like > this. I'm linking to the template, I won't copy/paste the whole thing here. > > https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh > > Under Slackware, the iptables rule for a local FTP server looked like this: > > modprobe ip_conntrack > iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT > > I tried this, but to no avail. Can't connect to my server. I googled a > bit, and I found out that there seem to be quite many different answers > about the subject of "how do I configure my firewall for Vsftpd". > OK looking at this, try changing the script as follows: # Connexions établies $IPT -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT # SSH $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT # FTP $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT > Any suggestions ? > > Niki > > -- > Microlinux - Solutions informatiques durables > 7, place de l'église - 30730 Montpezat > Site : https://www.microlinux.fr > Blog : https://blog.microlinux.fr > Mail : i...@microlinux.fr > Tél. : 04 66 63 10 32 > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
> Doesn't work. I redirected all my errors to /var/log/messages, so here's > what I get when I try to connect Filezilla to that server. > > May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 > OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 > DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP > SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0 > FTP uses two ports - in active mode the server uses 21 for command and 20 for data after the initial connection. In passive mode it uses 21 for command and a high random port number for data. What is happening is that you are blocking the high port number. (Yes, I know that's a gross simplification.) You could use active transfer and open port 20, or you could use passive, which is more "secure", and allow connections to high port numbers. Search for active vs passive ftp for more info. P. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
Le 23/05/2018 à 16:36, Nux! a écrit : > Try "iptables -I INPUT" for your FTP rule. Doesn't work. I redirected all my errors to /var/log/messages, so here's what I get when I try to connect Filezilla to that server. May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0 I'm clueless here. -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32 ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Vsftpd vs. iptables firewall script
Hi, Try "iptables -I INPUT" for your FTP rule. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro - Original Message - > From: "Nicolas Kovacs"> To: "CentOS mailing list" > Sent: Wednesday, 23 May, 2018 15:24:45 > Subject: [CentOS] Vsftpd vs. iptables firewall script > Hi, > > I'm currently setting up a local FTP server, to receive disk images sent > with G4L (Ghost4Linux). > > This server has been running Slackware Linux before, and the Vsftpd > setup was relatively simple. > > With CentOS things seem to be slightly different, so I'm currently > trying to work things out. For the moment, two things seem to be > creating problems, the simple iptables firewall and SELinux. > > When I disable the firewall and SELinux, Vsftp works as expected. So far > so good. > > Now let's tackle this one dragon at a time. First the firewall. I'm > starting with a very simple firewall script that looks somewhat like > this. I'm linking to the template, I won't copy/paste the whole thing here. > > https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh > > Under Slackware, the iptables rule for a local FTP server looked like this: > > modprobe ip_conntrack > iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT > > I tried this, but to no avail. Can't connect to my server. I googled a > bit, and I found out that there seem to be quite many different answers > about the subject of "how do I configure my firewall for Vsftpd". > > Any suggestions ? > > Niki > > -- > Microlinux - Solutions informatiques durables > 7, place de l'église - 30730 Montpezat > Site : https://www.microlinux.fr > Blog : https://blog.microlinux.fr > Mail : i...@microlinux.fr > Tél. : 04 66 63 10 32 > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos