Le 23/05/2018 ? 16:36, Nux! a ?crit?:> Try "iptables -I INPUT" for your FTP rule.Doesn't work. I redirected all my errors to /var/log/messages, so here's what I get when I try to connect Filezilla to that server. May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0 I'm clueless here. -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Nicolas Kovacs wrote:> Le 23/05/2018 ? 16:36, Nux! a ?crit?: >> Try "iptables -I INPUT" for your FTP rule. > > Doesn't work. I redirected all my errors to /var/log/messages, so here's > what I get when I try to connect Filezilla to that server. > > May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 > OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 > DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP > SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0 > > I'm clueless here.Oh, hell, it just hit me: are you using C7? If so, start out by running firewall-cmd --list-all mark
> Doesn't work. I redirected all my errors to /var/log/messages, so here's > what I get when I try to connect Filezilla to that server. > > May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 > OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 > DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP > SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0 >FTP uses two ports - in active mode the server uses 21 for command and 20 for data after the initial connection. In passive mode it uses 21 for command and a high random port number for data. What is happening is that you are blocking the high port number. (Yes, I know that's a gross simplification.) You could use active transfer and open port 20, or you could use passive, which is more "secure", and allow connections to high port numbers. Search for active vs passive ftp for more info. P.
Le 23/05/2018 ? 17:01, Pete Biggs a ?crit?:> You could use active transfer and open port 20, or you could use > passive, which is more "secure", and allow connections to high port > numbers. > > Search for active vs passive ftp for more info.That helped, thanks. I added the following to /etc/vsftpd/vsftpd.conf: pasv_enable=YES pasv_min_port=50001 pasv_max_port=50010 My firewall script now has the following stanza for FTP: # FTP $MOD ip_conntrack_ftp $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 50001:50010 -j ACCEPT So the firewall problem seems solved. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
Le 23/05/2018 ? 17:01, Pete Biggs a ?crit?:> FTP uses two ports - in active mode the server uses 21 for command and > 20 for data after the initial connection. In passive mode it uses 21 > for command and a high random port number for data. What is happening > is that you are blocking the high port number. (Yes, I know that's a > gross simplification.)I've updated the documentation on my blog: https://blog.microlinux.fr/vsftpd-centos/ Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32