Vsftpd Vs. Iptables Firewall Script

Home » CentOS » Vsftpd Vs. Iptables Firewall Script
CentOS 12 Comments

Hi,

I’m currently setting up a local FTP server, to receive disk images sent with G4L (Ghost4Linux).

This server has been running Slackware Linux before, and the Vsftpd setup was relatively simple.

With CentOS things seem to be slightly different, so I’m currently trying to work things out. For the moment, two things seem to be creating problems, the simple iptables firewall and SELinux.

When I disable the firewall and SELinux, Vsftp works as expected. So far so good.

Now let’s tackle this one dragon at a time. First the firewall. I’m starting with a very simple firewall script that looks somewhat like this. I’m linking to the template, I won’t copy/paste the whole thing here.

https://github.com/kikinovak/CentOS-7-server-lan/blob/master/config/firewall/firewall-standalone.sh

Under Slackware, the iptables rule for a local FTP server looked like this:

modprobe ip_conntrack
iptables -A INPUT -p tcp -i $IFACE_LAN –dport 21 -j ACCEPT

I tried this, but to no avail. Can’t connect to my server. I googled a bit, and I found out that there seem to be quite many different answers about the subject of “how do I configure my firewall for Vsftpd”.

Any suggestions ?

Niki


Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

12 thoughts on - Vsftpd Vs. Iptables Firewall Script

  • Le 23/05/2018 à 16:36, Nux! a écrit :

    Doesn’t work. I redirected all my errors to /var/log/messages, so here’s what I get when I try to connect Filezilla to that server.

    May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3
    OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2
    DST=192.168.2.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30737 DF PROTO=TCP
    SPT=51474 DPT=38714 WINDOW=29200 RES=0x00 SYN URGP=0

    I’m clueless here.


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

  • FTP uses two ports – in active mode the server uses 21 for command and
    20 for data after the initial connection. In passive mode it uses 21
    for command and a high random port number for data. What is happening is that you are blocking the high port number. (Yes, I know that’s a gross simplification.)

    You could use active transfer and open port 20, or you could use passive, which is more “secure”, and allow connections to high port numbers.

    Search for active vs passive ftp for more info.

    P.

  • OK looking at this, try changing the script as follows:

    # Connexions établies
    $IPT -A INPUT -m state –state RELATED, ESTABLISHED -j ACCEPT

    # SSH
    $IPT -A INPUT -p tcp -i $IFACE_LAN –dport 22 -j ACCEPT

    # FTP
    $IPT -A INPUT -p tcp -i $IFACE_LAN –dport 21 -j ACCEPT


    Stephen J Smoogen.

  • I forgot to say why. The RELATED is used to say that it is ok that the ftp extra ports are kept track of. Without it they are dropped as you are seeing.


    Stephen J Smoogen.

  • Nicolas Kovacs wrote:

    Oh, hell, it just hit me: are you using C7? If so, start out by running firewall-cmd –list-all

    mark

  • Nicolas Kovacs wrote:

    A suggestion: once you’ve got the firewall issue dealt with, set selinux into permissive mode; *then* you can figure out what it’s complaining about, while at the same time, your system will be available. Once you’ve fixed those issues, then you can make it enforcing.

    mark

  • Le 23/05/2018 à 17:01, Pete Biggs a écrit :

    That helped, thanks.

    I added the following to /etc/vsftpd/vsftpd.conf:

    pasv_enable=YES
    pasv_min_port=50001
    pasv_max_port=50010

    My firewall script now has the following stanza for FTP:

    # FTP
    $MOD ip_conntrack_ftp
    $IPT -A INPUT -p tcp -i $IFACE_LAN –dport 21 -j ACCEPT
    $IPT -A INPUT -p tcp -i $IFACE_LAN –dport 50001:50010 -j ACCEPT

    So the firewall problem seems solved.

    Cheers,

    Niki

    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

  • Le 23/05/2018 à 16:58, m.roth@5-cent.us a écrit :

    This is always my approach. Turns out the solution was rather simple here. After switching SELinux to permissive mode and connecting to the server, I did this:

    # sealert -a /var/log/audit/audit.log

    The problem here was that I got a small tsunami of suggestions. But in the middle of this flood, I got a boolean to set, so on a hunch, I tried that:

    # setsebool -P ftpd_full_access 1

    Turns out this solved all SELinux-related problems. So Vsftp works perfectly now with my custom Iptables firewall *and* SELinux in enforcing mode.

    Cheers & thanks for all your suggestions.

    Niki


    Microlinux – Solutions informatiques durables
    7, place de l’église – 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

  • Nicolas Kovacs wrote:

    ARGH! No. We get entries in /var/log/messages that tell you run run sealert *with* a given number. I just highlight, copy and run that, not try to read the whole audit log.

    mark

  • rewall/firewall-standalone.sh

    The ip_conntrack module is necessary, but not sufficient for dynamic FTP connection tracking.

    If you instead load ip_conntrack_ftp, it will auto-load ip_conntrack.
    (On a C7 server the modules are actually nf_conntrack_ftp and nf_conntrack, but the ip_* names are aliases for them so either will work.)

    Oh, and to make the module configuration permanent, you can use either the CentOS config file at /etc/sysconfig/iptables-config file (look for the IPTABLES_MODULES line with associated comments) or on a systemd box you have the option of /etc/modules-load.d/ (man modules-load.d for details).

    – —