CentOS - Feb 2006 - FTP Server and IPTables?

I'm having a heck of a time getting vsftpd to work properly. When Iptables
are
OFF, it works fine, and when iptables is on, it dies. When I try ftp from a 
command line, here's what the session looks looks like: 


[root at mylaptop ~]# ftp ftp.server.com
Connected to ftp.server.com.
220 Welcome to My Company FTP
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (ftp.server.com:root): northwind
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (66,81,89,182,135,169)
ftp: connect: No route to host
ftp> 

But, what am I doing wrong, here!?!?! Sample from 
/etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. 
############################################
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -j LOG
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
############################################

Lastly, here's a typical log rejection notice from /var/log/messages 
Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= 
MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP 
LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 
WINDOW=5840 RES=0x00 SYN URGP=0

What am I missing? 

-Ben 
-- 
"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978

On 2/15/06, Benjamin Smith <lists at benjamindsmith.com>
wrote:
> I'm having a heck of a time getting vsftpd to work properly. When
Iptables are
> OFF, it works fine, and when iptables is on, it dies. When I try ftp from a
> command line, here's what the session looks looks like:
>
>
> [root at mylaptop ~]# ftp ftp.server.com
> Connected to ftp.server.com.
> 220 Welcome to My Company FTP
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (ftp.server.com:root): northwind
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 227 Entering Passive Mode (66,81,89,182,135,169)
> ftp: connect: No route to host
> ftp>
FTP uses two TCP connections 21 and 20.  If the kernel has connection
tracking on this is fairly easy.  I don't know the details off hand,
or if the kernel support connection tracking as I use ssh/scp/sftp
exclusivly.

I know you need to load the ip_conntrack_ftp module.

If you google you should find the rest of the information you need.
> But, what am I doing wrong, here!?!?! Sample from
> /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES.
> ############################################
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -j LOG
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> ############################################
>
> Lastly, here's a typical log rejection notice from /var/log/messages
> Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT>
MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP
> LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729
> WINDOW=5840 RES=0x00 SYN URGP=0
>
> What am I missing?
>
> -Ben
> --
> "The best way to predict the future is to invent it."
> - XEROX PARC slogan, circa 1978
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

--
Leonard Isham, CISSP
Ostendo non ostento.

On Wed, 2006-02-15 at 16:43 -0800, Benjamin Smith wrote:
> I'm having a heck of a time getting vsftpd to work properly. When
Iptables are
> OFF, it works fine, and when iptables is on, it dies. When I try ftp from a
> command line, here's what the session looks looks like: 
> 
> 
> [root at mylaptop ~]# ftp ftp.server.com
> Connected to ftp.server.com.
> 220 Welcome to My Company FTP
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (ftp.server.com:root): northwind
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 227 Entering Passive Mode (66,81,89,182,135,169)
> ftp: connect: No route to host
> ftp> 
> 
> But, what am I doing wrong, here!?!?! Sample from 
> /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. 
> ############################################
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -j LOG
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> ############################################
> 
> Lastly, here's a typical log rejection notice from /var/log/messages 
> Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= 
> MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP 
> LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 
> WINDOW=5840 RES=0x00 SYN URGP=0
> 
> What am I missing? 
----
ip_conntrack_ftp

you could modprobe it or you could do some learning about netfilter
(iptables) - A super place to start is here...

http://www.ecst.csuchico.edu/~dranch/LINUX/ipmasq/c-html/firewall-examples.html#RC.FIREWALL-IPTABLES

Craig

Am Do, den 16.02.2006 schrieb Benjamin Smith um 1:43:
> I'm having a heck of a time getting vsftpd to work properly. When
Iptables are
> OFF, it works fine, and when iptables is on, it dies. When I try ftp from a
> command line, here's what the session looks looks like: 
> 
> 
> [root at mylaptop ~]# ftp ftp.server.com
> Connected to ftp.server.com.
> 220 Welcome to My Company FTP
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (ftp.server.com:root): northwind
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 227 Entering Passive Mode (66,81,89,182,135,169)
> ftp: connect: No route to host
> ftp> 
Once beside the control connection the additional data connection is to
be established (for listing dir content) your client configured to use
passive FTP sends the PASV command to the server, which then opens a
connection from a random high port (here 32877) to a high port on your
client host (here 34729 = 135*256+169).
> But, what am I doing wrong, here!?!?! Sample from 
> /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. 
> ############################################
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -j LOG
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> ############################################
Your iptables ruleset blocks state NEW connections other than the
explicitly accepted - thus above described connection from the server to
your client host to port 34729 is blocked. iptables needs a helper to
recognize this FTP data connection in passive mode to be related to the
already established control connection: ip_conntrack_ftp.
> Lastly, here's a typical log rejection notice from /var/log/messages 
> Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= 
> MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP 
> LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 
> WINDOW=5840 RES=0x00 SYN URGP=0
> 
> What am I missing? 
> 
> -Ben 
Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 03:21:02 up 5 days, 12:12, load average: 0.96, 1.03, 0.88 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL:
<http://lists.centos.org/pipermail/centos/attachments/20060216/d80b7f6a/attachment-0002.sig>

Benjamin Smith wrote:
> I'm having a heck of a time getting vsftpd to work properly. When
Iptables are
> OFF, it works fine, and when iptables is on, it dies. When I try ftp from a
> command line, here's what the session looks looks like: 
> 
> 
> [root at mylaptop ~]# ftp ftp.server.com
> Connected to ftp.server.com.
> 220 Welcome to My Company FTP
> 530 Please login with USER and PASS.
> 530 Please login with USER and PASS.
> KERBEROS_V4 rejected as an authentication type
> Name (ftp.server.com:root): northwind
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 227 Entering Passive Mode (66,81,89,182,135,169)
> ftp: connect: No route to host
> ftp> 
> 
> But, what am I doing wrong, here!?!?! Sample from 
> /etc/sysconfig/iptables, with the IP addresses changed to $VARIABLES. 
> ############################################
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 21 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 1984 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $MYHOUSEIP --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -s $LOCALNETWORK/28 --dport 62000 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -j LOG
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> ############################################
> 
> Lastly, here's a typical log rejection notice from /var/log/messages 
> Feb 15 19:23:32 atreyu kernel: IN=eth0 OUT= 
> MAC=00:e0:81:2f:7c:22:00:b0:c2:88:9d:4d:08:00 SRC=$MYHOUSEIP DST=$SERVERIP 
> LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=20932 DF PROTO=TCP SPT=32877 DPT=34729 
> WINDOW=5840 RES=0x00 SYN URGP=0
> 
> What am I missing? 
> 
> -Ben


Ben,

simply modify one of the first lines of /etc/sysconfig/iptables-config to read
IPTABLES_MODULES="ip_conntrack_ftp"

and restart iptables.

HTH,

Kay