Hi, I'm currently setting up a local FTP server, to receive disk images sent with G4L (Ghost4Linux). This server has been running Slackware Linux before, and the Vsftpd setup was relatively simple. With CentOS things seem to be slightly different, so I'm currently trying to work things out. For the moment, two things seem to be creating problems, the simple iptables firewall and SELinux. When I disable the firewall and SELinux, Vsftp works as expected. So far so good. Now let's tackle this one dragon at a time. First the firewall. I'm starting with a very simple firewall script that looks somewhat like this. I'm linking to the template, I won't copy/paste the whole thing here. https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh Under Slackware, the iptables rule for a local FTP server looked like this: modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT I tried this, but to no avail. Can't connect to my server. I googled a bit, and I found out that there seem to be quite many different answers about the subject of "how do I configure my firewall for Vsftpd". Any suggestions ? Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Hi, Try "iptables -I INPUT" for your FTP rule. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message -----> From: "Nicolas Kovacs" <info at microlinux.fr> > To: "CentOS mailing list" <centos at centos.org> > Sent: Wednesday, 23 May, 2018 15:24:45 > Subject: [CentOS] Vsftpd vs. iptables firewall script> Hi, > > I'm currently setting up a local FTP server, to receive disk images sent > with G4L (Ghost4Linux). > > This server has been running Slackware Linux before, and the Vsftpd > setup was relatively simple. > > With CentOS things seem to be slightly different, so I'm currently > trying to work things out. For the moment, two things seem to be > creating problems, the simple iptables firewall and SELinux. > > When I disable the firewall and SELinux, Vsftp works as expected. So far > so good. > > Now let's tackle this one dragon at a time. First the firewall. I'm > starting with a very simple firewall script that looks somewhat like > this. I'm linking to the template, I won't copy/paste the whole thing here. > > https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh > > Under Slackware, the iptables rule for a local FTP server looked like this: > > modprobe ip_conntrack > iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT > > I tried this, but to no avail. Can't connect to my server. I googled a > bit, and I found out that there seem to be quite many different answers > about the subject of "how do I configure my firewall for Vsftpd". > > Any suggestions ? > > Niki > > -- > Microlinux - Solutions informatiques durables > 7, place de l'?glise - 30730 Montpezat > Site : https://www.microlinux.fr > Blog : https://blog.microlinux.fr > Mail : info at microlinux.fr > T?l. : 04 66 63 10 32 > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Le 23/05/2018 ? 16:36, Nux! a ?crit?:> Try "iptables -I INPUT" for your FTP rule.Doesn't work. I redirected all my errors to /var/log/messages, so here's what I get when I try to connect Filezilla to that server. May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0 I'm clueless here. -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Nicolas Kovacs wrote:> Hi, > > I'm currently setting up a local FTP server, to receive disk images sent > with G4L (Ghost4Linux). > > This server has been running Slackware Linux before, and the Vsftpd > setup was relatively simple. > > With CentOS things seem to be slightly different, so I'm currently > trying to work things out. For the moment, two things seem to be > creating problems, the simple iptables firewall and SELinux. > > When I disable the firewall and SELinux, Vsftp works as expected. So far > so good. > > Now let's tackle this one dragon at a time. First the firewall. I'm<snip> A suggestion: once you've got the firewall issue dealt with, set selinux into permissive mode; *then* you can figure out what it's complaining about, while at the same time, your system will be available. Once you've fixed those issues, then you can make it enforcing. mark
On 23 May 2018 at 10:24, Nicolas Kovacs <info at microlinux.fr> wrote:> Hi, > > I'm currently setting up a local FTP server, to receive disk images sent > with G4L (Ghost4Linux). > > This server has been running Slackware Linux before, and the Vsftpd > setup was relatively simple. > > With CentOS things seem to be slightly different, so I'm currently > trying to work things out. For the moment, two things seem to be > creating problems, the simple iptables firewall and SELinux. > > When I disable the firewall and SELinux, Vsftp works as expected. So far > so good. > > Now let's tackle this one dragon at a time. First the firewall. I'm > starting with a very simple firewall script that looks somewhat like > this. I'm linking to the template, I won't copy/paste the whole thing here. > > https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh > > Under Slackware, the iptables rule for a local FTP server looked like this: > > modprobe ip_conntrack > iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT > > I tried this, but to no avail. Can't connect to my server. I googled a > bit, and I found out that there seem to be quite many different answers > about the subject of "how do I configure my firewall for Vsftpd". >OK looking at this, try changing the script as follows: # Connexions ?tablies $IPT -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT # SSH $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT # FTP $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT> Any suggestions ? > > Niki > > -- > Microlinux - Solutions informatiques durables > 7, place de l'?glise - 30730 Montpezat > Site : https://www.microlinux.fr > Blog : https://blog.microlinux.fr > Mail : info at microlinux.fr > T?l. : 04 66 63 10 32 > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-- Stephen J Smoogen.
On 23 May 2018 at 11:05, Stephen John Smoogen <smooge at gmail.com> wrote:> On 23 May 2018 at 10:24, Nicolas Kovacs <info at microlinux.fr> wrote: >> Hi, >> >> I'm currently setting up a local FTP server, to receive disk images sent >> with G4L (Ghost4Linux). >> >> This server has been running Slackware Linux before, and the Vsftpd >> setup was relatively simple. >> >> With CentOS things seem to be slightly different, so I'm currently >> trying to work things out. For the moment, two things seem to be >> creating problems, the simple iptables firewall and SELinux. >> >> When I disable the firewall and SELinux, Vsftp works as expected. So far >> so good. >> >> Now let's tackle this one dragon at a time. First the firewall. I'm >> starting with a very simple firewall script that looks somewhat like >> this. I'm linking to the template, I won't copy/paste the whole thing here. >> >> https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh >> >> Under Slackware, the iptables rule for a local FTP server looked like this: >> >> modprobe ip_conntrack >> iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT >> >> I tried this, but to no avail. Can't connect to my server. I googled a >> bit, and I found out that there seem to be quite many different answers >> about the subject of "how do I configure my firewall for Vsftpd". >> > > OK looking at this, try changing the script as follows: > > # Connexions ?tablies > $IPT -A INPUT -m state --state RELATED, ESTABLISHED -j ACCEPT > > # SSH > $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 22 -j ACCEPT > > # FTP > $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT > > >I forgot to say why. The RELATED is used to say that it is ok that the ftp extra ports are kept track of. Without it they are dropped as you are seeing. -- Stephen J Smoogen.
Le 23/05/2018 ? 16:58, m.roth at 5-cent.us a ?crit?:> A suggestion: once you've got the firewall issue dealt with, set selinux > into permissive mode; *then* you can figure out what it's complaining > about, while at the same time, your system will be available. Once you've > fixed those issues, then you can make it enforcing.This is always my approach. Turns out the solution was rather simple here. After switching SELinux to permissive mode and connecting to the server, I did this: # sealert -a /var/log/audit/audit.log The problem here was that I got a small tsunami of suggestions. But in the middle of this flood, I got a boolean to set, so on a hunch, I tried that: # setsebool -P ftpd_full_access 1 Turns out this solved all SELinux-related problems. So Vsftp works perfectly now with my custom Iptables firewall *and* SELinux in enforcing mode. Cheers & thanks for all your suggestions. Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2018/05/23 8:24 AM, Nicolas Kovacs wrote:> I'm currently setting up a local FTP server, to receive disk images > sent with G4L (Ghost4Linux). > > This server has been running Slackware Linux before, and the > Vsftpd setup was relatively simple. > > With CentOS things seem to be slightly different, so I'm currently > trying to work things out. For the moment, two things seem to be > creating problems, the simple iptables firewall and SELinux. > > When I disable the firewall and SELinux, Vsftp works as expected. > So far so good. > > Now let's tackle this one dragon at a time. First the firewall. > I'm starting with a very simple firewall script that looks somewhat > like this. I'm linking to the template, I won't copy/paste the > whole thing here. > > https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh> > Under Slackware, the iptables rule for a local FTP server looked > like this: > > modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN > --dport 21 -j ACCEPT > > I tried this, but to no avail. Can't connect to my server. I > googled a bit, and I found out that there seem to be quite many > different answers about the subject of "how do I configure my > firewall for Vsftpd".The ip_conntrack module is necessary, but not sufficient for dynamic FTP connection tracking. If you instead load ip_conntrack_ftp, it will auto-load ip_conntrack. (On a C7 server the modules are actually nf_conntrack_ftp and nf_conntrack, but the ip_* names are aliases for them so either will work.) Oh, and to make the module configuration permanent, you can use either the CentOS config file at /etc/sysconfig/iptables-config file (look for the IPTABLES_MODULES line with associated comments) or on a systemd box you have the option of /etc/modules-load.d/ (man modules-load.d for details). - ---- Nels Lindquist <nlindq at maei.ca> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlsIbDgACgkQh6z5POoOLgQh7wCcDcWGpYBqQfmY5OwkJs5LyJI0 zFYAoKY8CnphwueYraMKtU/n1L5xHpp7 =5sU3 -----END PGP SIGNATURE-----