thr3ads.net - CentOS - [CentOS] OT: Proftpd and Iptables [Sep 2005]

If this information is useful, please help other people find it:
Share via:

Ed Morrison

2005-Sep-16 03:47 UTC

[CentOS] OT: Proftpd and Iptables

Hi Peoples,

I'm still beating my head with the Proftpd although I have solved my 
orininal issue.  That turned out to be an iptables issue and I'm 
beginning to wonder if iptables is playing with me again.  I have an FTP 
server that allows anonymous downloads and with specific accounts able 
to upload to the anonymous directory.  The problem is, those users 
cannot upload.  I have attached my proftpd conf file and my iptables for 
those willing to take a look and provide some feedback:

Thanks for any feedback.



Iptables:

#!/bin/bash

# Make sure modules are loaded
insmod ip_tables
insmod ip_conntrack
insmod ip_conntrack_ftp
insmod ipt_state

# Flush any existing rules
iptables -F

# Block x.x.x.x/x.x.x.x
iptables -A INPUT -s 194.150.236.171  -j DROP
iptables -A INPUT -s 213.193.230.2    -j DROP
iptables -A INPUT -s 205.134.230.2    -j DROP
iptables -A INPUT -s 201.15.13.42     -j DROP
iptables -A INPUT -s 61.100.12.125    -j DROP
iptables -A INPUT -s 193.136.200.48   -j DROP
iptables -A INPUT -s 61.218.41.152    -j DROP
iptables -A INPUT -s 61.183.22.0/24   -j DROP
iptables -A INPUT -s 80.228.206.0/24  -j DROP
iptables -A INPUT -s 67.94.106.0/24   -j DROP




# Allow other traffic
# iptables -A INPUT -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 20  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80  -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT


iptables -A INPUT  -p icmp              -m state --state 
ESTABLISHED,RELATED        -j ACCEPT
iptables -A INPUT  -p tcp --sport 21    -m state --state 
ESTABLISHED                -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21    -m state --state 
NEW,ESTABLISHED            -j ACCEPT
iptables -A OUTPUT -p icmp              -m state --state 
NEW,ESTABLISHED,RELATED    -j ACCEPT

#Drop all other traffic
#iptables -A INPUT -j DROP



Proftpd conf:

AuthPAMAuthoritative            on
IdentLookups                    off
UseReverseDNS                   off
Port                            21
Umask                           022
ListOptions                     "-a"
AllowRetrieveRestart            on
AllowStoreRestart               on
MaxInstances                    20
User                            nobody
Group                           nobody
ScoreboardFile                  /var/run/proftpd.score

<Global>
  AllowOverwrite                       yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>
</Global>
LogFormat                       default "%h %l %u %t \"%r\" %s
%b"
LogFormat                       auth    "%v [%P] %h %t \"%r\"
%s"
TransferLog                     /var/log/proftpd/xferlog
ExtendedLog                     /var/log/proftpd/access.log WRITE,READ
ExtendedLog                     /var/log/proftpd/auth.log AUTH auth

UseFTPUsers                     off

<Anonymous /var/ftp/pub>
AnonRequirePassword             on
User                            gps
Group                           gps
#DefaultChdir                    /var/ftp/pub/
RequireValidShell               off
<Limit STOR>
  AllowAll
</Limit>
<Limit WRITE>
  AllowAll
</Limit>
</Anonymous>

<Anonymous ~ftp>
User                            ftp
Group                           ftp
AccessGrantMsg                  "Anonymous login ok, restrictions
apply."
UserAlias                       anonymous ftp
DefaultChdir                    /pub/
RequireValidShell               off
AnonRequirePassword             off
  <Limit LOGIN>
    AllowAll
  </Limit>
  <Limit WRITE>
    DenyAll
  </Limit>
  <Limit STOR>
    DenyAll
  </Limit>
  <Limit READ>
    AllowAll
  </Limit>
</Anonymous>

Barry Brimer

2005-Sep-16 04:21 UTC

head link

[CentOS] OT: Proftpd and Iptables

On Thu, 2005-09-15 at 20:47 -0700, Ed Morrison wrote:> Hi Peoples,
> 
> I'm still beating my head with the Proftpd although I have solved my 
> orininal issue.  That turned out to be an iptables issue and I'm 
> beginning to wonder if iptables is playing with me again.  I have an FTP 
> server that allows anonymous downloads and with specific accounts able 
> to upload to the anonymous directory.  The problem is, those users 
> cannot upload.  I have attached my proftpd conf file and my iptables for 
> those willing to take a look and provide some feedback:
> 
> Thanks for any feedback.<snip>

What error(s) are you getting?  Do you have any (useful) messages in log
files?  If not, you might turn up the debug level, reproduce the problem
and share the information with us.  Does the gps user have write access
on the filesystem to the /var/ftp/pub directory?  Can that user touch a
file there while logged into the server via ssh?

HTH,

Barry

Maybe Matching Threads

Search for more apparently analagous threads

CentOS - Sep 2005 - OT: Proftpd and Iptables

[CentOS] OT: Proftpd and Iptables

[CentOS] OT: Proftpd and Iptables

Maybe Matching Threads